Multi-million-dollar Settlement Agreed to Resolve MCNA Dental Data Breach Lawsuit
A settlement has been agreed to resolve class action data breach litigation against Managed Care of North America (MCNA), Inc., and MCNA Insurance Company, doing business as MCNA Dental and Healthplex, Inc. The companies were sued in response to a massive data breach in 2023 that affected almost 9 million individuals. In March 2023, the defendants identified unauthorized access to the MCNA network. The LockBit ransomware group was behind the attack and first gained access to the network on February 22, 2023. Access was maintained until March 7, 2023, when ransomware was used to encrypt files. Prior to file encryption, sensitive data was exfiltrated from the network, including personal and protected health information (PHI).
MCNA Dental is one of the largest providers of government-sponsored dental benefits to children through state Medicaid and Children’s Health Insurance Programs, and stores a vast amount of PHI. The investigation determined that the ransomware group accessed or exfiltrated the PHI of 8,923,662 individuals, including names, contact information, Social Security numbers, driver’s license numbers, government-issued ID numbers, health information, and health insurance information. When the ransom was not paid, the LockBit group proceeded to leak the stolen data. The affected individuals were notified about the data breach in late May 2023.
A data breach of this scale was certain to trigger multiple class action lawsuits, the first of which was filed on June 5, 2023. In total, the defendants were named in 25 putative class action lawsuits. The lawsuits were materially and substantively identical, with overlapping claims, and on July 13, 2023, the lawsuits were consolidated into a single action – Crowe et al. v. Managed Care of North America Inc. d/b/a MCNA Dental, MCNA Insurance Company dba MCNA Dental, and Healthplex, Inc. – in the United States District Court for the Southern District of Florida.
The consolidated lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, violations of state consumer protection act statutes, and declaratory and injunctive relief. A settlement failed to be agreed upon during court-appointed mediation, and the defendants sought to have the case dismissed. The lawsuit survived, and extensive discovery and litigation followed, along with a second failed attempt at mediation. After extensive subsequent settlement discussions, the material terms of a settlement were agreed upon.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The terms of the settlement have now been finalized, with no admission of liability or wrongdoing by the defendants. The defendants have agreed to establish a multi-million-dollar settlement fund to pay benefits to the class members, attorneys’ fees (up to $6,400,000), attorneys’ expenses (up to $1,313,000), and settlement administration costs (up to $2,000,000). The total value of the settlement has not been made public.
Class members may submit a claim for reimbursement of documented losses due to the data breach up to a maximum of $2,500 per class member; however, these claims have been capped at a total of $250,000. Class members are eligible to claim two years of medical data monitoring services, which include a $1 million identity theft reimbursement policy. These services have a retail cost of $179.40 per year for each class member who enrolls. In addition to paying the costs and benefits, MCNA has agreed to take several steps to improve security and has updated its business practices to reduce the risk of similar breaches in the future.
While all parties have agreed to the terms of the settlement, it has yet to receive preliminary approval from the court. The dates for objection, exclusion, and submitting claims will be set when and if the court approves the settlement. Class members will start to be notified directly about the settlement within 30 days of the court’s preliminary approval order. The notifications will include information on how to submit a claim and a code to activate the medical data monitoring service.
