MNGI Digestive Health, a multi-location gastroenterology practice in Minnesota, received preliminary court approval on May 7 to settle a class action lawsuit stemming from an August 2023 cyberattack.
The incident was first reported on DataBreaches on September 25, 2023, but had been discovered by MNGI on August 25, 2023, after the BlackCat (AlphV) ransomware gang attacked MNGI on August 20 and exfiltrated what they claimed was more than 2 TB of files. Patient information included full names, dates of birth, passport numbers, drivers’ license or state identification numbers, medical information, health insurance information, payment card information, account numbers, and Social Security numbers.
The breach was particularly nasty, with BlackCat posting diatribes on its dark web leak site. As DataBreaches reported at the time, when MNGI did not pay, AlphV announced “TIME IS UP” and leaked more than 800 GB, and threatened them with more data leakage, spam, and harassment.
In October 2023, MNGI reported to HHS that the incident affected 767,670 patients. Individual notification letters were not sent out until July 2024, however.
Announcement of the settlement appeared on classaction.org:
The $2,838,749.62 MNGI Digestive Health settlement received preliminary court approval on May 7, 2025 and covers all individuals who received a notice regarding the data breach MNGI experienced on or around August 20, 2023.
As with all these settlements, there was no admission of any wrongdoing or liability by MNGI.
Those eligibile to file a claim can find eligibility information and filing instructions on the mngisettlement.com, the official settlement webssite.
As is this site’s practice in reporting on any settlement, Databreaches looked at the actual settlement agreement to see if there was any committment to improving security for patient data. Although it was not detailed, we spotted this provision:
Business Practices Changes & Confirmatory Discovery: Defendant has provided reasonable access to confidential confirmatory discovery regarding the number of Class Members and state of residence, the facts and circumstances of the Data Incident and Defendant’s response thereto, and the data security measures that have been made by Defendant since the Data Incident. The costs of the security measures to be implemented over the next three years are valued at two million and seven hundred thousand dollars ($2,700,000.00).
It is not clear whether that $2.7 million figure is significantly more than what MNGI had been investing prior to the prior breach or represents a significant increase in investment, but it seems to indicate that MNGI did commit to security enhancements.