Medicare Contractor Named in MOVEit Data Breach Negligence Class Action

Maximus, which processes information for the Centers for Medicare & Medicaid Services, sent plaintiffs Jerry McDaniel of Floyd County, Georgia, and Barbara Cruciata of the Bronx, New York, a letter informing them it detected “unusual activity” in its MOVEit software May 30, said the complaint. Maximus began to investigate and stopped all use of the MOVEit software early May 31, it said.

Later that day, PSC announced that a vulnerability in MOVEit had allowed an unauthorized party to gain access to files across many organizations in government and private sectors. The personally identifiable information (PII) in the data breach involved “at least” Social Security numbers, birthdates, mail and email addresses, phone numbers, Medicare beneficiary identifiers, health insurance claim numbers, drivers’ license numbers, medical histories with diagnoses and treatments, healthcare provider and prescription information, and health benefits and enrollment information, the complaint said.

PSC stored, maintained and/or hosted plaintiffs’ and class members’ PII on its MOVEit transfer services software that was “recklessly configured and maintained,” resulting in multiple breaches of its network and systems, including Maximus', dating back to 2021, the complaint said. Security vulnerabilities on MOVEit led to “dozens of cyberattacks,” it said.

Maximus “negligently chose” to use MOVEit software to store and transfer plaintiffs’ PII “despite the fact that MOVEit contained security vulnerabilities, and did not carefully monitor the security of the data and/or perform regular security audits,” said the complaint. The potential for improper disclosure of their PII was a “known risk” to the defendants because other file transfer programs had previously been subjected to criminal hacking, it said.

Plaintiffs and class members now face a “current and ongoing risk of identity theft, which is heightened here by the loss of Social Security numbers -- the gold prize for identity thieves,” the complaint said. As a result, they suffered invasion of privacy; financial out-of-pocket costs incurred mitigating the “risk and imminent threat of identity theft”; loss of time due to actual identity theft and increased spam and targeted emails; diminution of value of their PII; and anxiety, annoyance and nuisance, it said.

The class action asserts claims of negligence, breach of third-party beneficiary contract, negligence per se and unjust enrichment. Plaintiffs will serve notice as required under Massachusetts General Law chapter 93A, a consumer protection statute, and intend to amend the complaint to add a cause of action under that statute, the complaint said.

Plaintiffs request orders enjoining defendants from misusing or disclosing their PII; requiring them to encrypt all data collected; delete and destroy their PII, unless defendants can provide reasonable justification for its retention; and implement a comprehensive information security program and engage third-party auditors to conduct periodic testing, the complaint said. They seek awards of actual, consequential and nominal damages; prejudgment interest; and attorneys’ fees and legal costs.

Maximus didn't comment Friday. A PSC spokesperson emailed Friday: "We do not comment on pending litigation as our focus remains on working closely with customers so they can take the steps needed to further harden their environments, including applying the patches we have developed."