MCNA Dental Reaches Multimillion-Dollar Settlement Over 2023 LockBit Ransomware Attack
MCNA Dental has agreed to a proposed multimillion-dollar settlement to resolve class action claims stemming from a 2023 LockBit ransomware attack that exposed the data of nearly 9 million individuals, including children.
MCNA Dental, one of the largest providers of U.S. government-sponsored dental benefits for children, has reached a proposed multimillion-dollar settlement to resolve consolidated class action litigation arising from a 2023 LockBit ransomware attack. The breach, which affected nearly 9 million individuals, exposed highly sensitive personal and health information of patients, parents, guardians, and guarantors. The settlement was filed in a Florida federal court on June 12, 2026.
Under the terms of the settlement, MCNA and co-defendant Healthplex—which MCNA acquired in 2019—will pay up to $2,500 per class member for undocumented out-of-pocket expenses, with those claims capped at $250,000 in total. The company has also agreed to provide two years of medical data monitoring services that include $1 million theft coverage. The monitoring has a retail value of approximately $179 per year for each enrolled class member. Because millions of people potentially qualify to automatically enroll, the total retail value of those benefits exceeds $3.2 billion, according to Jeffrey Ostrow, an attorney at Kopelowitz Ostrow representing the plaintiffs.
MCNA will also pay settlement administrative costs of up to $2 million, attorney fees of up to $6.4 million, and related litigation costs of up to $1.3 million. A source familiar with the case estimated the total settlement value at around $19 million, though attorney fees were calculated based on time and risk rather than a percentage of the settlement value. MCNA, a subsidiary of UnitedHealth Group since November 2020, denies any wrongdoing or liability in the incident.
The 2023 LockBit ransomware attack first came to light on March 7, 2023, when the LockBit gang claimed responsibility and demanded a $10 million ransom. MCNA did not pay, and on April 7, 2023, LockBit published 700 gigabytes of stolen data on its dark web leak site for anyone to download. The compromised information included names, addresses, Social Security numbers, driver's license numbers, health insurance details, Medicaid and Medicare IDs, and dental care records.
An amended complaint filed in September 2024 consolidated about two dozen lawsuits, alleging that MCNA's "lax" and negligent security practices failed to protect sensitive data, creating a "present and continuing risk" for identity theft and medical identity theft. The breach affected over 100 organizations, including the Arkansas Department of Human Services, the City of New York Management Benefit Fund, Florida Healthy Kids Corporation, and several other state agencies.
As part of the settlement, MCNA agreed to continue taking reasonable steps to secure its systems and environments, though court documents do not specify the exact changes implemented. The court has not yet scheduled dates for preliminary approval or a final hearing. This settlement adds to the growing list of costly legal resolutions stemming from the LockBit ransomware group's widespread attacks, which have targeted healthcare, government, and private sector organizations globally.