Florida-based dental insurer sued after hackers steal info about 8.9 million people

Ron Hurtibise, South Florida Sun Sentinel
·3 min read

It doesn’t take long after announcing a data breach for companies to become targets of class-action lawsuits.

One such company, Miramar, Florida-based Managed Care of North America Dental, reported on May 26 that it suffered a ransomware breach between Feb. 26 and March 7 that affected 8.9 million individuals.

MCNA Dental is the nation’s largest dental insurer for government-funded Medicaid, Medicare and Children’s Health Insurance Program (CHIP) organizations. The company takes in about $78 million in revenue every year.

Thieves, MCNA admitted, swiped consumers’ personal information, including names, Social Security numbers, dates of birth, addresses, driver’s license or government-issued identification numbers, telephone numbers, email addresses and health insurance information such as the name of consumers’ plans and who pays them, their insurance ID numbers, plan and group numbers, and records regarding dental and orthodontic care. Victims include patients, parents, guardians, or guarantors, the company said.

Less than three weeks later, MCNA Dental has been served with five lawsuits.

On Tuesday came a suit by John Anson of Des Moines, Iowa, who says he has been victimized by the time he spent checking his credit files for unauthorized charges. Like the other suits, Anson’s seeks injunctive relief, damages, restitution, costs and reasonable attorneys fees.

“The exposure of one’s personally identifying information to cybercriminals is a bell that cannot be unrung,” Anson’s lawsuit states. “Before this data breach, consumers’ private information was exactly that — private. Not anymore, Now, consumers’ private information is forever exposed and unsecure.”

Anson’s suit questions why MCNA Dental waited three months before notifying victims of the breach — months that the victims could have been spending protecting themselves.

Instead, the suit says, they “had their most sensitive personal information accessed, exfiltrated, and stolen, causing them to suffer ascertainable losses in the form of loss of the benefit of their bargain and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.”

Anson’s own infirmaries include “feelings of anxiety, sleep disruption, stress, fear and frustration,” according to the complaint.

The suit, filed by Boca Raton, Florida, law firm Osborne & Francis PLLC and three other firms from outside Florida, states that MCNA’s breach differs from typical data breaches “because it affects consumers who had no relationship with MCNA, never sought one, and never consented to MCNA collecting and storing their information.”

Rather, MCNA sourced its information from third parties, storing it on its system and assuming a duty to protect it, the lawsuit states. While advertising that its strengths included an “ability to administer dental plans in an effective and innovative manner while safeguarding (its) members’ protected health information,” MCNA never implemented the security safeguards, the suit claims.

In revealing the breach, MCNA offered affected consumers a year of free identity theft protection through the company IDX. And it posted a notification about the breach on IDX’s website listing about 100 organizations that might have stored members’ information on MCNA’s website.

The organizations include Florida Healthy Kids Corporation and Florida Agency for Health Care Administration.

MCNA stated it is “making our computers systems even stronger than before because we do not want this to happen again.”

Consumers with questions are urged to call 1-888-220-5006.

Anson’s lawsuit states that the theft was carried out by “the notorious LockBit ransomware gang.” LockBit, the suit states, is one of the most active ransomware groups and has bragged of similar attacks against more than 1,000 companies. After MCNA allowed the deadline of its ransom demand to pass, LockBit released more than 700 GB of information obtained from the breach onto a data leak page, several sources claimed.

While authorities previously urged ransomware victims not to give into demands, new forms of attacks using double-extortion methods have changed the rules of the game, according to the website DarkReading.com. Some experts now advise giving into attackers’ demands could be more beneficial in the long run, the site said.

Meanwhile, the number of lawsuits against MCNA Dental will likely become smaller over time as courts entertain calls to merge them, authorities say.