2023 LockBit Attack Impacted Nearly 9 Million Individuals, Including Children
In a significant development in the realm of cybercrime, MCNA Dental, a prominent provider of dental benefits for children under government-sponsored programs in the United States, has reached a proposed multimillion-dollar settlement arising from a substantial ransomware attack in 2023. This incident, attributed to the LockBit ransomware group, has been reported to have affected nearly 9 million people, raising considerable concerns regarding data privacy and security in modern healthcare systems.
The settlement was filed in a Florida federal court on June 12, 2026, wherein MCNA, along with its co-defendant Healthplex—which it acquired in 2019—has proposed to compensate up to $2,500 per affected individual for claims related to undocumented out-of-pocket expenses. However, total claims under this provision are capped at $250,000, reflecting the legal framework governing such actions. Additionally, as part of the settlement agreement, MCNA has committed to providing two years of medical data monitoring services for impacted individuals. This includes coverage against identity theft, reaching a total value of $1 million, while the monitoring service itself is valued at approximately $179 per individual annually.
Jeffrey Ostrow, an attorney representing the plaintiffs in this class action suit, indicated that the overall "retail value" of these monitoring services could surpass $3.2 billion, given the large pool of potential beneficiaries who might enroll. However, there are expectations that not all eligible individuals will take part in the offered monitoring services, according to insights from a source familiar with the case who requested anonymity.
Moreover, the settlement entails MCNA bearing significant financial obligations, including administrative costs up to $2 million, attorney fees reaching up to $6.4 million, and other related litigation expenses not exceeding $1.3 million. Insider reports suggest that, in typical breach cases, legal fees may constitute around one-third of the total estimated settlement costs; thus, bringing the total value of this settlement to approximately $19 million.
In what constitutes a cautious approach, MCNA, a subsidiary of UnitedHealth Group since late 2020, has firmly denied any wrongdoing in connection with the incident. Nevertheless, the company has agreed to undertake additional measures to enhance the security of its systems and safeguard sensitive data in the aftermath of the devastating 2023 hack. However, details pertaining to the specific security enhancements implemented remain undisclosed, as indicated in court documents.
An amended complaint filed in September 2024 consolidated numerous lawsuits against MCNA, highlighting alleged security shortcomings that enabled the breach. Plaintiffs pointed to what they characterized as "lax" security protocols that failed to adequately protect the personal information of over 8.9 million affected individuals—including children and their guardians. The allegations underscore a persistent and heightened risk of identity theft, with sensitive private data now reportedly accessible to advanced cybercriminal organizations.
The types of information that may have been compromised in this unauthorized breach are profoundly concerning. They include personal identifiers such as names, addresses, email addresses, dates of birth, Social Security numbers, and driver’s license numbers. Furthermore, health-related data, which encompasses insurance plan details, Medicaid and Medicare identification numbers, and specifics related to dental or orthodontic treatment, were also reportedly affected.
The LockBit ransomware gang asserted responsibility for this high-profile cyber incident on March 7, 2023. They demanded a ransom of $10 million—threatening to publish 700 gigabytes of sensitive data they had allegedly extracted from MCNA’s network. However, MCNA opted not to pay this ransom. Consequently, on April 7, 2023, the gang made the stolen data available for download on dark web platforms, intensifying the repercussions of this breach and underlining the need for robust cybersecurity measures across healthcare providers.
As the situation continues to unfold, the court has not yet set dates for preliminary or final approvals related to the settlement. In the wake of the 2023 incident, it was disclosed that over 100 organizations, including state departments and healthcare agencies across various U.S. states, were impacted by the breach.
In a related context, MCNA’s Healthplex division faced financial penalties exceeding $2.4 million after New York State regulators cited deficiencies in its data protection strategies, particularly issues linked to multifactor authentication and a phishing breach that compromised data belonging to 90,000 individuals. This historical negligence raises further scrutiny over the effectiveness of MCNA’s data security practices, underscoring the significant implications of the 2023 LockBit attack on a considerable number of vulnerable individuals within the healthcare system. As these developments proceed, stakeholders will closely monitor the measures implemented by MCNA to rectify past security failures and restore trust among their beneficiaries.