Plaintiffs in Related MOVEit Data Breach Case Oppose 'Coordinated Proceeding'
Plaintiffs filed a notice of related action “out of an abundance of caution,” in MOVEit Customer Data Security Breach Litigation Tuesday before the U.S. Judicial Panel on Multidistrict Litigation. Plaintiffs Katelin Malo, individually, and as parent and next friend of K.J., a minor, Corrinna Reed and Joann Kindred sued (docket 6:23-cv-01149) Performance Health Technology (PH Tech) this month in a negligence class action stemming from the MOVEit data breach May 30.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
PH Tech discovered June 2 that a flaw in MOVEit software enabled hackers to gain access to plaintiffs’ personally identifiable (PII) and personal health information (PHI), but it didn’t begin disclosing that information to affected individuals until July 31, in a letter dated July 27, said the complaint. On June 16, PH Tech determined that PII and PHI it received from Health Share of Oregon, a coordinated care organization, was breached in the attack, said the complaint.
Malo plaintiffs haven't named MOVEit producer Progress Software Corp. (PSC) or Pension Benefit Information (PBI) as defendants in their case, nor have any other plaintiffs in cases filed against PHI, said Malo’s Tuesday notice (docket 3083) in U.S. District Court for Oregon in Eugene. “Nevertheless, based on the sweeping language contained for the first time in [movant Bruce Bailey’s] reply (see Ref:2308140020]), Plaintiffs determined that their case could potentially be included in a coordinated proceeding,” the notice said. To “lodge their opposition” with the JPML, “and out of an abundance of caution, Plaintiffs therefore file this notice.”
Bailey said in his Aug. 11 consolidated reply, in further support of a motion for centralization and transfer of related actions to U.S. District Court in Minnesota, that the panel will be reviewing additional tagalong actions in MOVEit Customer Data Security Breach Litigation potentially for "years to come.” At the time of his filing, there were 44 related actions and tagalongs representing 11 federal district courts in the MDL. Ten named defendants in the litigation, arising out of a data breach involving PSC’s MOVEit file transfer software, represent insurance companies, banks, educational institutions, and governmental entities that are alleged to use MOVEit. The software is also used under license by defendant PBI in those cases.
Not all parties agree with transfer and consolidation. Johns Hopkins University and Johns Hopkins Health System filed responses in opposition to consolidation this month (see Ref:2308070061]), noting Bailey’s motion to transfer said the “purportedly related actions” before the panel should be transferred and centralized because they all involve defendants PSC and PBI, but five actions were filed July 7-19 against the Johns Hopkins defendants in U.S. District Court for Maryland. Those five actions all asserted claims against the Johns Hopkins defendants for “loss of data in their possession in a data breach"; three of those cases name PSC, but not PBI.
Bailey acknowledged not all parties agree with transfer and consolidation but said no party to a related action contests that all related actions “are centrally related to the May 2023 hack and exfiltration of data from the MOVEit file transfer software.”