MCNA Dental Data Breach Lawsuit Says Notorious Ransomware Group Stole Consumer Information

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit alleges MCNA Dental has unlawfully failed to safeguard the sensitive information of millions of current and former customers.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 54-page lawsuit says defendant Managed Care of North America claims to have first detected the data breach on March 6 of this year yet waited more than 11 weeks before notifying the public in late May that it had been hit by a ransomware attack. Managed Care of North America does business as MCNA Dental, the largest dental insurer for Medicaid and Children’s Health Insurance Programs (CHIPs) in the country, and many of its insureds are low-income or belong to other vulnerable groups, the case stresses.

In a data breach notice published online, MCNA Dental disclosed that the information potentially stolen by hackers includes current and former customers’ names, addresses, dates of birth, email addresses, Social Security numbers, driver’s license/Medicare/Medicaid ID numbers, and health insurance plan details, as well as details of the care patients received for teeth or braces (including visit dates, dentist/doctor names, past care, x-rays/photos, medicines and treatments) and specifics on bills and insurance claims. In the same notice, MCNA Dental listed more than 100 healthcare providers and plans that were indirectly impacted by the 2023 data breach, the suit says.

In addition, some of the stolen information belonged to parents, guardians or guarantors, the case appends.

According to a notice filed with the Maine Attorney General, more than 8.9 million people were impacted by the ransomware attack. As the suit tells it, consumers who entrusted MCNA Dental with their information had no idea that the company’s data security was “so inadequate.”

“MCNA Dental knew or should have known of the increasing number of well-publicized data breaches that have occurred in the United States,” the case reads. “And yet, MCNA Dental failed to adequately secure and upgrade its systems, allowing another breach to occur, this time compromising consumer Personal Information.”

Responsibility for the incident was claimed on March 7 by LockBit, one of the “most active” ransomware groups worldwide, the suit says. The lawsuit relays that LockBit published samples of data stolen from MCNA Dental and then threatened to publish 700GB of information exfiltrated from the insurer unless the group was paid $10 million.

According to the suit, LockBit “released all data” stolen from MCNA Dental on its website on April 7, “making it available for download by anyone.”

Per the case, the plaintiff, a Vidalia, Louisiana resident, received notice of the MCNA Dental data breach on May 26 yet had already been the target of “financial crimes” in the period between when the ransomware attack occurred and when the public was notified. The fraudulent activity to which the plaintiff was subjected included a phishing attempt and “six new inquiries on her credit report of bad actors attempting to open new lines of credit using her information,” the filing says.

The lawsuit alleges MCNA Dental ran afoul of Health Insurance Portability and Accountability Act (HIPPA) privacy rules by losing control over consumers’ sensitive data, namely by failing to ensure that it maintained “adequate and commercially reasonable” cybersecurity.

“There are strong indications that the Personal Information exfiltrated from MCNA Dental’s network has been published and is still being offered for download and/or sale on underground marketplaces,” the suit warns.

The lawsuit looks to cover all consumers residing in the United States whose personal information was maintained on MCNA Dental’s systems that were compromised as a result of the data breach announced by the company on May 26, 2023.

Are you owed unclaimed settlement money? Check out our class action rebates page full of open class action settlements.