MNGI Digestive Health Agrees to Pay $2.8 Million to Settle Data Breach Lawsuit
MNGI Digestive Health has agreed to settle a class action lawsuit that alleged negligence for failing to protect the sensitive data of its patients. The litigation stems from a 2023 ransomware attack by the ALPHV/Blackcat ransomware group on the Minnesota gastroenterology practice.
MNGI Digestive Health detected the attack on August 25, 2024, and the forensic investigation confirmed that its network was first breached on August 20, 2024. MNGI Digestive Health said the data compromised in the incident included names, medical information, health insurance information, dates of birth, patient account numbers, financial account information, driver’s license or state ID numbers, passport numbers, payment card information, usernames and associated passwords, taxpayer ID numbers, biometric data, and Social Security numbers. The breach was reported to the HHS’ Office for Civil Rights as affecting 767,670 individuals.
Several class action lawsuits were filed against MNGI Digestive Health over the data breach, which were consolidated into a single action in the Minnesota District Court for Hennepin County – In Re MNGI Digestive Health, P.A. The plaintiffs alleged MNGI Digestive Health failed to implement reasonable and appropriate cybersecurity measures, and had those measures been implemented, the data breach could have been prevented. In addition to negligence, the plaintiffs asserted claims of negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of the Minnesota Consumer Fraud Act, Minnesota Uniform Deceptive Trade Practices Act, and Minnesota Health Records Act.
MNGI Digestive Health maintains there was no wrongdoing and denies liability and all claims and contentions in the lawsuit; however, the decision was made to settle the lawsuit to avoid the costs, risks, and uncertainties of continuing with the litigation. All parties have agreed to the settlement, which has received preliminary approval from the court. Under the terms of the settlement, class members may submit a claim for documented, unreimbursed costs, expenses, and losses fairly traceable to the data breach up to a maximum of $10,000 per class member, plus two years of “Medical Monitoring,” which monitors private healthcare information for exposure to medical fraud.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
All class members may also submit a claim for a cash payment, irrespective of whether a claim is submitted for reimbursement of losses. Cash payments will be paid pro rata after all legal costs, expenses, attorneys’ fees, class representative awards, claims, and Medical Monitoring costs have been deducted from the $2,838,749.62 settlement fund.
The deadline for exclusion from or objection to the settlement is August 05, 2025. The deadline for submitting a claim is September 04, 2025, and the final fairness hearing has been scheduled for September 04, 2025.
