Interested Parties Pitch Mass., Minn. as Transfer Districts for MOVEit MDL

Filings showed support for, or opposition to, plaintiff Bruce Bailey’s July motion to transfer and centralize all cases involving the MOVEit breach to the District of Minnesota (see 2307120053); others jockeyed for transfer to the District of Massachusetts. The JPML’s hearing on Bailey’s transfer motion will be Thursday (see 2309180061).

F&G Annuities & Life pushed for centralization of all MOVEit cases in the District of Massachusetts because the conduct of PSC and Pension Benefits Information (PBI) “is critical to any liability against F&G,” plus the “numerous other defendants who, like F&G, used PBI’s services,” said its Thursday interested-party response (docket 3083) in support of transfer. F&G “does not itself” use PSC’s MOVEit software that’s the subject of the Re: Moveit Customer Data Security Breach Litigation, but its vendor, PBI, which provides audit and address research services, uses MOVEit to transfer files, F&G said. On June 20, PBI informed F&G that certain files containing F&G policyholder information were compromised by the MOVEit incident, it said.

F&G was named in two MOVEit-related cases: in the Southern District of Iowa and in Massachusetts. Miller v. F&G (docket 4:23-cv-00326) names just F&G; Cooper v. Progress Software Corp. (docket 1:23-cv-12067) also names PBI, Fidelity Investments Institutional Operations, Bank of America and Corebridge Financial as defendants, it said. All are named because some of their customer information was potentially compromised due to PBI’s use of the MOVEit software, it said. F&G supports transfer and centralization of all MOVEit actions in the District of Massachusetts where PSC is based and where more actions are pending than in any other district, said the response.

The related actions should be transferred and coordinated through an MDL proceeding, even though PSC isn’t a named defendant in every named action involving the breach, said F&G. “Contrary to various Plaintiffs’ contentions, and those of the Johns Hopkins defendants, that only cases in which PSC is named as a defendant should be included in any MDL,” (see 2308070061), the vulnerabilities in PSC’s software will be at issue in every MOVEit action “regardless of which defendants are named,” said F&G’s response.

Contrary to some plaintiffs’ contentions that an MDL shouldn’t include any defendants besides PSC because the actions are “better conceived of as ‘hundreds of independent breaches,’ this simply ignores the role of PBI," said F&G's response. "Only through PBI was the client or customer data of dozens of different companies -- F&G, Bank of America, Fidelity Investments, Corebridge, TIAA, the Hartford, Genworth, Prudential Insurance, Milliman Solutions, and many, many others among them -- affected.”

That makes MOVEit litigation “not analogous” to the software-related breach in re: Accellion, Inc. Customer Data Security Breach Litigation,” which parties opposing a broader MOVEit-related MDL relied on in their responses, said F&G. In Accellion, “unlike here, no named defendant held data of customers of other defendants,” it said. In MOVEit, given the roles of PBI and other direct users of the software, the docket is more analogous to the re American Medical Collection Agency, Inc. MDL, where “it was AMCA whose allegedly insufficient data security led to the compromise of all those companies’ data,” it said. The scope of MOVEit litigation -- "involving dozens of defendants in dozens of different district courts, including sometimes overlapping defendants -- makes it far more like AMCA than Accellion,” it said.

Fidelity Investments doesn’t oppose transferring Hanson v. FMR LLC d/b/a Fidelity Investments (docket 1:23-cv-12028) and Cooper v. Progress Software, which also names PBI, Fidelity, Bank of America, F&G and Corebridge Financial (docket 1:23- cv-12067), Fidelity said in its interested-party response of conditional support of Bailey’s motion for transfer of related actions. Fidelity's condition is that Hanson and any other related case that’s filed against Fidelity are also transferred and consolidated into the proposed MDL.

The two actions Fidelity cited are similar except that Hanson doesn’t name PBI and PSC as defendants, but that shouldn’t preclude the cases from being treated alike for the proposed MDL’s purposes, Fidelity said. But if only Cooper were transferred, and not Hanson, that would force Fidelity to litigate the “near-identical” claims separately and engage in “duplicative discovery and motion practice, and face potentially conflicting rulings on, among other things, motions to dismiss and class certification,” it said. Both actions should remain in the District of Massachusetts, it said.

Also on Thursday, interested-party plaintiffs Katelin Malo, Corrinna Reed and Joann Kindred in Malo v. Performance Health Technology opposed a Sept. 19 motion to transfer, said their response before the JPML. The plaintiffs will dismiss their federal complaint, and other plaintiffs who have filed cases in other state courts will take steps to pursue those claims in the Oregon Circuit Court for Multnomah County, said the filing.

Of the 11 cases involving the MOVEit breach pending against Performance Health in Oregon state and federal courts, PH Tech is the sole defendant in 10 of the actions, with allegations addressed “strictly to PH Tech’s violations,” encompassing facts and issues unique to that company, it said. A suit by a Massachusetts plaintiff is the sole case that includes a defendant other than PH Tech, it said.

Malo Oregon plaintiffs filed the first of 11 proposed class actions against PH Tech on Aug. 7. Their counsel then conferred with other plaintiffs’ counsel and determined that the Oregon focus on PH Tech’s business made that jurisdiction proper in Oregon state courts, said the opposition. As more cases were filed, a “consensus … began to emerge,” it said, and all 11 Oregon-based plaintiffs agreed on a case management structure and a course of action directed at prosecuting their claims in Multnomah County, it said. The Malo action shouldn’t “be swept up in and transferred to a massive MDL proceeding for many of the same reasons why other actions against single MOVEit users should not be transferred,” said the response. Oregon plaintiffs “directly entrusted” their personal health information to Oregon-based PH Tech, “and not to an out-of-state vendor whose existence was unknown to most of them before they received notice of the breach.”

The one case to name PH Tech as a defendant, Hopkins V. Trillium Community Health Plan, Inc. et al. (docket 3:23-cv-01259), also names PSC and Trillium Community Health Plan. Hopkins is one of 11 plaintiffs who filed an interested-party response Tuesday in support of motion for transfer and consolidation to the District of Massachusetts. Although the 11 plaintiffs join Bailey’s centralization arguments, they disagree that centralization in Minnesota is appropriate. Massachusetts is the “epicenter” of the case, they said, noting PSC is based in the state, which has 22 actions pending, more than in any other district, and PSC is named as a defendant in most MOVEit actions. Discovery in all related actions will focus on a core set of documents, witnesses and other evidence in the district pertaining to MOVEit software, said the response.

Wednesday, meanwhile, Athene Annuity and Life pushed for centralization of MOVE-it cases in Minnesota, in support of Bailey’s motion, said its interested-party response. Athene counsel Lee Bains of Maynard Nexsen argued Minnesota is a “convenient forum"; centrally located for the cases currently pending; is easily accessible to witnesses, lawyers and the courts; has the requisite resources and subject matter experience, and "favorable docket conditions" with only six pending MDLs. Alternatively, Bains proposed the Eastern District of Louisiana as an “appropriate forum” because of its “central location,” experience in handling MDLs and because it's overseeing “only five” MDLs.

Athene, a defendant in Richard Weissman v. Athene Annuity and Life Company and Pension Benefit Information (docket 1:23-cv-03999), used PBI’s services to administer its products, and PBI used the MOVEit software to transfer and store files. PBI listed the Weissman case as one of 13 in the schedule of actions to its interested party response and memorandum in support of motion to transfer related cases and for centralized pretrial proceedings, Athene noted. The PBI response said the related actions, including Weissman, “all assert claims arising from the purported exposure of personal information of the named plaintiffs and proposed class members as a result of Russian hackers’ exploitation of a zero-day vulnerability discovered by Progress” in its MOVEit file transfer software. PBI also said in those cases filed against PBI where PSC is not named, PBI intends to join PSC as an additional defendant, said Athena.