Cybercrime
,
Data Privacy
,
Data Security
2023 LockBit Attack Affected Nearly 9M People, Including Children
MCNA Dental, one of the largest providers of U.S. government-sponsored dental benefits to children, has agreed to a proposed multimillion dollar settlement to resolve consolidated class action claims stemming from a 2023 LockBit ransomware attack and data theft that affected nearly 9 million people.
See Also: OnDemand | Transform API Security with Unmatched Discovery and Defense
Under the settlement filed in a Florida federal court on June 12, MCNA and co-defendant Healthplex, which MCNA acquired in 2019, will pay up to $2,500 per class member for claims of undocumented out-of-pocket expenses. Those claims are capped at $250,000 in total.
MCNA has also agreed to pay for two years of medical data monitoring services that includes $1 million theft coverage. The monitoring has a retail value of about $179 per year for each class member who enrolls.
Because of the millions of people who potentially qualify to automatically enroll, the total “retail value” of those benefits exceeds $3.2 billion, said Jeffrey Ostrow, an attorney at law firm Kopelowitz Ostrow, which is representing plaintiffs in the settlement.
Another source familiar with the case, who asked not to be named, said it’s unlikely all eligible class action members will enroll in the monitoring.
Also under the settlement, MCNA will pay settlement administrative costs of up to $2 million, attorney fees of up to $6.4 million and related litigation costs of up to $1.3 million.
Typically, in many similar breach class action cases, plaintiffs’ attorney fees represent about one-third of the case’s estimated total settlement costs, which brings the value of the MCNA settlement to around $19 million, the source told ISMG.
But attorney fees in the MCNA settlement were calculated based on the “reasonable amount of time class counsel spent litigating the action, modified to account for the risk that class counsel undertook and the results achieved,” rather than a percentage of the settlement value, Ostrow told ISMG.
“Examining the value of all settlement benefits for the settlement class, attorneys’ fees will be a tiny fraction of the total value,” he said.
Managed Care of North America or MCNA, a subsidiary of UnitedHealth Group, since November 2020, denies any wrongdoing or liability in the incident.
As part of the settlement, MCNA agreed that the company has “undertaken and will continue to undertake reasonable steps to further secure their systems and environments, including changes and improvements that have been made or are being made to protect settlement class members’ private information.”
Court documents don’t specify the types of business practice changes MCNA implemented to bolster its data security following the 2023 hack. Ostrow told ISMG that MCNA’s improved data security practices are also another “added value” of the settlement for class members and plaintiffs.
An amended second complaint filed in September 2024 that consolidated about two dozen lawsuits, alleged a long list of claims against MCNA, including “lax” and negligent security practices that MCNA failed to protect the sensitive personal information of more than 8.9 million patients, parents, guardians and guarantors (see: Dental Health Insurer Hack Affects Nearly 9 Million).
Those alleged failures led to “present and continuing risk” for identity and medical identity theft for affected patients whose highly sensitive private Information is “now in the hands of sophisticated cybercriminals,” the lawsuit alleged.
Information potentially compromised in the data breach included names, physical addresses, email addresses, dates of birth, Social Security numbers, driver’s license numbers, government-issued ID numbers, health insurance information – such as plan information, insurance company name and member number – Medicaid and Medicare ID numbers, information regarding dental or orthodontic care and plan group number.
The complaint alleged that on March 7, 2023, the LockBit ransomware gang claimed responsibility for the MCNA ransomware attack, demanding a $10 million ransom under the threat to publish 700 gigabytes of confidential information hackers allegedly exfiltrated from the company’s computer networks.
MCNA didn’t pay the ransom – and consequently, LockBit on April 7, 2023, posted on its dark website the company’s stolen data for download “by anyone,” the complaint alleged.
An attorney representing MCNA in the case did not immediately respond to ISMG’s request for comment on the settlement.
As of Thursday, the court had not yet scheduled dates for a preliminary approval or a final hearing in the settlement.
After the incident in 2023, Fort Lauderdale, Florida-based MCNA said over 100 organizations were affected by the breach. That included the Arkansas Department of Human Services, the City of New York Management Benefit Fund, Florida Healthy Kids Corporation, the Idaho Department of Health and Welfare, the Iowa Department of Human Services, Louisiana Department of Health, and Nebraska Department of Health and Human Services.
MCNA is a provider of dental and orthodontic care to members of some state Medicaid agencies and the Children’s Health Insurance Program, for which they provide dental benefits and services to more than 5 million children and their families.
In a separate incident involving MCNA’s Healthplex unit, New York State regulators in 2023 and 2025 fined the dental plan administrator $2.4 million for failing to protect data with multifactor authentication and other issues related to a phishing breach that affected 90,000 people (see: NY State Fines Dental Plan Firm $2M in Phishing Breach).
Click Here For The Original Source.
