MOVEit Data Breach Class Action Lawsuit | Data Privacy Litigation
The Lyon Firm is investigating claims from plaintiffs and victims of Progress Software’s MOVEit file transfer data breach incident. Tens of millions of Americans are now impacted by the incident, and it is not too late to join an existing class action lawsuit. Contact our data theft lawyers to learn more about the ransomware attack and to discuss your next steps moving forward.
What Happened at Progress Software?
The Clop ransomware group claimed responsibility for an attack on Progress Software in May 2023. The company’s MOVEit Transfer solution was exploited. Progress Software released an emergency patch to fix the flaw on May 31, 2023 but it was a futile attempt to patch a problem that was already blown open. The Clop group exfiltrated huge amounts of data from the MOVEit server between May 27 and May 30, 2023, and hundreds of organizations were impacted.
Most impacted organizations have already sent letters to individuals whose information was compromised. These include government agencies, schools, healthcare entities as well as several banks and life insurance companies.
The MOVEit breaches to have impacted the most individuals are:
| Organization | Individuals |
| Maximus | 11.3 million |
| Welltok | 10 million |
| Delta Dental of California and affiliates | 6.9 million |
| Louisiana Office of Motor Vehicles | 6 million |
| Alogent | 4.5 million |
| Colorado Department of Health Care Policy and Financing | 4 million |
| Oregon Department of Transportation | 3.5 million |
| BORN Ontario | 3.4 million |
| Gen Digital (Avast) | 3 million |
| Teachers Insurance and Annuity Association of America | 2.6 million |
| Genworth | 2.5 million |
| Arietis Health | 1.9 million |
| PH Tech | 1.7 million |
| NASCO | 1.6 million |
| State of Maine | 1.3 million |
| Milliman Solutions | 1.3 million |
| Nuance Communications | 1.2 million |
| Wilton Reassurance Company | 1.2 million |
The Lyon Firm has filed suit against numerous defendants in this matter and we can help you explore your legal options for compensation and justice. We have the resources and the experience to guide you through the legal process, and get you the maximum payout available.
What Happened With MOVEit?
These revelations come after Clop exploited a zero-day vulnerability in the MOVEit Transfer secure file transfer platform on May 27, 2023. The Clop ransomware gang claims to have breached hundreds of companies. If an extortion demand is not paid, the hackers say they will begin leaking the compromised data on June 21st.
The U.S. Department of Energy acknowledged that records from two DOE entities had been compromised in the MOVEit cyberattack. According to BleepingComputer, the listed companies include Shell Oil, UnitedHealthcare Student Resources (UHSR), the University of Georgia (UGA) and University System of Georgia (USG), Heidelberger Druck, and Landal Greenparks.
Other organizations who have confirmed MOVEit Transfer breaches include Zellis, the University of Rochester, the government of Nova Scotia, the US state of Missouri, the US state of Illinois, BORN Ontario, Ofcam, Extreme Networks, and the American Board of Internal Medicine.
In Louisiana, residents with a state-issued driver’s license or state ID may have had their Social Security numbers, driver’s license numbers, vehicle registration information and other personal details exposed.
The Oregon Department of Transportation said Thursday that MOVEit hackers accessed the data of 3.5 million Oregonians who have driver’s licenses or state IDs. Delta Dental reported a breach of almost 7 million.
List of MOVEit Data Breach Victims
- Alogent\Huntington Bank
- Gen Digital
- Fidelity
- Chevron Federal Credit Union
- Wilton Reassurance
- CALpers
- PBI
- 1st Source Bank
- Unum
- Honeywell
- Mass Mutual Ascend
- Cadence Bank
- Nuance Communications
- BMO Bank
- National Student Clearinghouse
- The Harris Center
- Arietis Health
- Pathward
- University of Missouri
- NASCO
- State of Maine
- Sutter Health
- Delta Dental of California
- Genworth
- Maximus
- Welltok – Virgin Pulse
- Medicare
- International Business Machines Corporation (IBM)
- CareSource Corp.
- Teachers Insurance and Annuity Association of America
- Premier Health Partners
- Performance Health Technology, Ltd.
- CHI Health
- Milliman Solutions LLC; Milliman, Inc. d/b/a Milliman IntelliScript
- Corewell Health
- OSF Healthcare System
What Damages Are Available in the MOVEit Lawsuit?
In a data breach and ransomware lawsuit, potential damages that can be sought by the affected parties typically fall into several categories. Much depends on the particular case, and each incident may differ in small ways.
Plaintiffs can be compensated for all the time spent on dealing with a data breach event as well as claims for emotional distress. Here are some common types of damages that may be available in such lawsuits:
- Direct Financial Losses: This can include any monetary losses suffered as a result of the breach, such as fraudulent charges, identity theft, and financial losses related to the theft or disclosure of personal or financial information.
- Statutory Damages: Many data protection laws and regulations, such as the General Data Protection Regulation (GDPR) and various U.S. state laws, include provisions for statutory damages. These may be awarded per affected individual, regardless of whether they can prove actual harm.
- Punitive Damages: In some cases, if the breach was a result of gross negligence or willful misconduct, punitive damages may be awarded to punish the responsible party and deter similar conduct in the future.
- Emotional Distress and Reputation Damage: In some cases, individuals may claim damages for emotional distress or psychological harm resulting from the breach. Businesses may suffer damage to their reputation, which can result in lost business opportunities. Damages for harm to reputation and brand value may be sought.
- Injunctions and Equitable Relief: In some cases, the court may issue an injunction to prevent further disclosure or misuse of the breached data.
In many cases, data breach notification letters are sent out many months after the initial security breach incident was detected. There may be good reasons for a delay in reporting, though in some cases this institutes a serious impediment to those impacted by a data theft event. When these events occur it is critical to begin to protect yourself from fraud as soon as possible.
Delays to individual data theft notifications could mean individuals’ personal data has been in the hands of criminals for many months before they are even aware about the data leak. Data privacy lawyers claim promptly sending out individual data breach notification letters and being transparent about the fraud risk for individuals is not only ethical, but the only way to avoid stiff legal penalties.
It’s essential to consult with legal professionals who specialize in data breach and cybersecurity law to determine the specific damages that may apply in your case. The class actions currently moving forward are likely to settle, and you are encouraged to file a claim.
The Lyon Firm works with some of the most prominent privacy firms nationwide. We have the experience, the resources and the dedication to take on large corporations when acts of negligence result in damages that require compensation and justice. Contact us for a free and confidential consultation and to learn out your legal options.