MNGI Digestive Health is being sued for a ransomware attack by the ALPHV/Blackcat group, which began on August 20, 2024, and was discovered on August 25, 2024.
What happened
Following the breach, multiple class action lawsuits were filed alleging that MNGI failed to implement reasonable and appropriate cybersecurity measures to protect patient information. These lawsuits were consolidated into a single case in the Minnesota District Court for Hennepin County, titled In Re MNGI Digestive Health, P.A.
Plaintiffs accused MNGI of negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of the Minnesota Consumer Fraud Act, the Minnesota Uniform Deceptive Trade Practices Act, and the Minnesota Health Records Act. Although MNGI denied liability and maintained that it had done nothing wrong, the organization agreed to a settlement on June 23, 2025, to avoid the expense, uncertainty, and burden of continued litigation.
The settlement fund totaled $2,838,749.62 and provided for reimbursement of out-of-pocket expenses, up to $10,000 per person, along with two years of medical monitoring. All class members were also eligible for a pro-rata cash payment after legal fees and other costs were deducted.
The backstory
The lawsuit against MNGI Digestive Health began with a severe cybersecurity failure that allowed the ALPHV/Blackcat ransomware group to infiltrate its network. The attackers gained unauthorized access on August 20, 2024, and their presence went undetected until August 25, 2024, when MNGI discovered the breach. During that time, hackers accessed a vast amount of highly sensitive data belonging to 767,670 patients, including names, medical records, insurance information, Social Security numbers, financial data, biometric details, and login credentials.
The sheer volume and sensitivity of the exposed information sparked public outrage and fear of identity theft, medical fraud, and long-term financial harm. In the aftermath, multiple affected individuals filed class action lawsuits claiming that MNGI failed to use reasonable cybersecurity protections to prevent such an attack. Plaintiffs argued that MNGI’s failure to secure its systems directly enabled the breach and left patients vulnerable.
What was said
The Shuster v MNGI class action complaint noted, “There has been no assurance offered by MNGI that all personal data or copies of data have been recovered or destroyed, or that Defendant has adequately enhanced its data security practices sufficient to avoid a similar breach of its network in the future10. Therefore, Plaintiff and Class Members have suffered and are at an imminent, immediate, and continuing increased risk of suffering, ascertainable losses in the form of harm from identity theft and other fraudulent misuse of their Private Information, the loss of the benefit of their bargain, out-of-pocket expenses incurred to remedy or mitigate the effects of the Data Breach, and the value of their time reasonably incurred to remedy or mitigate the effects of the Data Breach.”
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
Who can be part of the class in such a lawsuit?
Any individual whose personal data was exposed or potentially accessed during the breach may be eligible to join the class. This includes patients, employees, or anyone whose information was stored by the healthcare provider at the time of the breach.
What legal claims are commonly made in these lawsuits?
Typical claims include negligence, breach of implied contract, breach of fiduciary duty, unjust enrichment, negligence per se (violation of statutory duty), and violations of state consumer protection laws and health record laws.
What kind of compensation can class members expect?
Compensation varies, but may include reimbursement for out-of-pocket expenses related to identity theft, fraud, or credit protection; cash payments; free credit monitoring or identity theft protection services; and coverage for future medical fraud monitoring.
Kirsten Peremore
