IBM, Insurers Among Defendants Named in 4 MOVEit Data Breach Class Actions
Four class actions filed Thursday and Friday against various defendants involving the Progress Software Corp. (PSC) data breach show the far reach of the late May cyberattack that potentially affected millions of customers, according to complaints.
Plaintiff Kimberlee Daniels, a resident of Colorado, sued IBM in U.S. District Court for Massachusetts in Boston, along with PSC, for failing to secure her personally identifiable (PII) and personal health information (PHI), said her Wednesday complaint (docket 1:23-cv-12010). IBM processes information for the Colorado Department of Health Care Policy and Financing (HCPF), which administers Colorado’s Medicaid program. The complaint alleges HCPF entrusted Daniels’ PII and PHI to defendant IBM along with that of tens of thousands of others.
PSC discovered a problem affecting its MOVEit file transfer software, an application that IBM, a third-party vendor, uses to move HCPF data files “in the normal course of business,” said the complaint. Through its investigation, HCPF learned an unauthorized third party accessed certain files on MOVEit that were used by IBM on May 28 involving name, Social Security number and medical and health insurance information. IBM “acquired, collected, utilized, and derived a benefit” from Daniels’ and class members’ PII and therefore “owed and otherwise assumed statutory, regulatory, contractual, and common law duties and obligations” to keep their PII secure from theft, the complaint said. “IBM accepted responsibility for securely maintaining and protecting this PII/PHI,” it said. IBM didn't comment.
Many details of the breach remain in “exclusive control” of the defendants, said the complaint. The companies haven't made any assurances they “adequately enhanced their data security practices to sufficiently safeguard from a similar vulnerability in the MOVEit Application in the future,” it said. Daniels’ claims include negligence, breach of third-party beneficiary contract and unjust enrichment. She seeks actual, consequential and nominal damages, plus attorneys’ fees and costs.
Plaintiff James Smiley sued PSC, Pension Benefit Information (PBI), Milliman Solutions and Foresters Financial Thursday in U.S. District Court for Washington in Seattle for failing to safeguard his PII, said the complaint (docket 2:23-cv-01354). Foresters, a Toronto-based life insurance company, uses Milliman’s risk assessment services that require the transfer of customers’ PII to Milliman. Smiley’s suit asserts claims of negligence, breach of third-party contract, negligence per se and unjust relief.
A “John Doe” class action filed in U.S. District Court for Southern California in San Diego Thursday names PBI as the sole defendant. California citizen Doe alleges PBI “negligently created, maintained, preserved, and stored” plaintiffs’ and the class members’ personal information, in PBI’s possession, “in a nonencrypted and a nonredacted manner” before May 29, 2023, and May 30, 2023. That allowed nonencrypted and nonredacted personal information to be accessed and “downloaded” or exfiltrated, and “exploited,” by at least one “unauthorized third party,” the complaint (docket 3:23-cv-01610) alleged. PBI allowed the PII to be accessed without plaintiff's and class members' consent, and failed to protect their PII, the complaint said. PBI sent two notices of the breach to California Attorney General Rob Bonta (D) on Aug. 4 and Aug. 16, the complaint noted.
On its website, PBI makes written representations that it preserves the confidentiality of consumers’ PII on its website, which says the company is a “secure host of personal information," and “protecting and securing your information is our highest priority,” said the complaint. The plaintiff alleges PBI violated several California statutes on protecting consumers’ privacy.
Christopher Arden’s negligence class action, in U.S. District Court for Massachusetts in Boston, names Prudential Insurance and PSC as defendants, along with PBI and PSC. Arden received a notice from PBI “on or around July 31” telling him the data breach involving MOVEit software affected certain Prudential customers, said Arden's complaint (docket 1:23-cv-12015). PBI provides regulatory compliance and operational support services for insurance companies, pension funds and other organizations, including, “on a limited basis,” for Prudential, the letter said. Prudential provides payment services on behalf of the Western Conference of Teamsters Pension Trust Fund.
Arden seeks an award of actual, consequential and nominal damages, plus attorneys’ fees and costs. He and other plaintiffs also request orders enjoining the defendants from engaging in the wrongful conduct described in the actions; requiring them to encrypt all data collected through the course of their businesses; to destroy plaintiffs’ data; and to implement and maintain comprehensive security programs designed to protect their PII.