Q2 2023 was characterized by a marked increase in the number of data breach cyber-attacks in the United States and worldwide. Studies showed an alarming increase overall in the US, rising from 5.4 million data breaches in the period of January to March to 49.8 million in the second quarter of the year. One of the major contributors to this is linked to the MOVEit file transfer software vulnerability. Used by many different companies and institutions, the file transfer service had a vulnerability that was exploited by hackers, believed to be “Cl0p,” a notorious Russian gang of cybercriminals. Around 800 American companies and organizations were impacted by the data breach. As a consequence, in June 2023, millions of Americans saw their data compromised, including sensitive social security data. Some of those impacted by the data breach have taken legal action, bringing lawsuits against Progress Software, which is the company behind MOVEit, and the individual companies that held their data.

• April 1, 2024 - Blackbaud data breach could result in class action lawsuit.
• March 1, 2024 - Global Data Breaches & Cyber Attacks by 2024: 29,530,829,012 records have been breached in 4645 incidents that were publicly reported.
• February 1, 2024 - 23andMe Breach Targeted Jewish and Chinese Customers.
• January 1, 2024 - After a data breach, a vendor of an Ohio hospital is sued in a class-action suit.
• December 1, 2023 - GE investigates alleged breach of confidential project data.
• November 1, 2023 - 'Cyber attack' hits Reeds Spring schools. Data breach includes Social Security numbers.

The vulnerabilities in the MOVEit software were first exploited at the end of May 2023, with the first round of public reporting on the data breaches coming in early June. It soon became apparent that millions of people were impacted. Legally, it’s important to note that there are strict rules governing the handling of customer data by companies and other agencies. Thus, those entities may face legal consequences if they fail in their duty to protect that data. Later in the summer of 2023, various lawsuits began to emerge. Indeed, such has been the surge in data breaches in 2023 that there has been a rise in the number of data breach class action lawsuits, with one report showing that there are 246 current class action lawsuits for data breaches in the United States.

A data breach is a type of security incident, one where unauthorized individuals or groups (often hackers) gain access to confidential information through a cyber-attack that often exploits a vulnerability in a software system. Gaining information like social security numbers or credit card details could obviously allow the hackers an opportunity for financial fraud, but even seemingly innocuous information like phone numbers and email addresses can be useful for criminal gangs. Companies that fail to take the necessary steps to protect their customers’ data in the United States may face serious legal consequences, including direct fines from the government and lawsuits from the affected customers.

Every state in America has laws covering data breaches. There is a duty of care for companies and institutions when they hold your data, compelling them to take robust security measures and requiring them to report if that security has been compromised. When that care fails, the companies may face legal consequences, including fines by the FTC (Federal Trade Commission), and those who have their details stolen may be eligible for a data breach compensation claim. Often, these claims are pursued through class action lawsuits.

Allegis Group is an international talent management company headquartered in Maryland. It has multi-billion-dollar revenue and around 19,000 employees. Allegis Group used a tax compliance software named Sovos Compliance, which, in turn, relied on the MOVEit file transfer system. Due to the MOVEit vulnerability and subsequent exploit, employees of Allegis Group may have had their personal, financial, and health information compromised in the data breach. Employees were sent notification letters informing them of the breach in August 2023.

AmeriTrust is an insurance services company that acts as a division of the AF Group.

CareSource is one of the largest Medicaid and Medicare plan managers, representing around 2 million members across five states. It notified the US Department of Health and Human Services Office for Civil Rights in July 2023 that it had suffered a major data breach as a result of the MOVEit exploit. Later in the summer, CareSource was served with multiple lawsuits on behalf of members whose medical data was exposed in the breach. The CareSource breach exposed social security numbers and personal and health data, including medications and health plan information.

Charles Schwab is a financial services and investment company. It has millions of customers and trillions of dollars of assets under management. Specifically with regards to the MOVEit data breaches of 2023, it was a subsidiary of Charles Schwab, TD Ameritrade, that was impacted. The personal data of over 60,000 TD Ameritrade clients was exposed in the breach, including valuable financial account credentials. Charles Schwab is facing a class action lawsuit from clients impacted by the data breach. In reporting, one of the claimants criticized Charles Schwab and the management of TD Ameritrade for the length of time between the breach (estimated to occur on May 30^th, 2023) and the notification sent to clients, which arrived in early August 2023. We should be clear that organizations are under strict obligations to promptly report data breaches to the relevant authorities and those impacted by the breach.

The Continental Casualty Company is an insurance company specializing in property and casualty insurance for business. It is the main subsidiary of the CNA Financial Corporation, headquartered in Chicago. The Continental Casualty Company was caught up in the 2023 MOVEit exploit, resulting in the names and social security numbers of up to 336,000 clients being compromised. The Continental Casualty Company’s data breach was a result of its interactions with Pension Benefit Information (PBI), which provides audit and research services to insurance companies, including the Continental Casualty Company. PBI acted on behalf of Continental Casualty Company to send letters to customers impacted by the 2023 data breach.

Delta Dental of California is one of the largest dental insurance providers in the United States. It serves residents of all 50 states. The company was impacted by the MOVEit exploitation, resulting in the exposure of huge amounts of patient data. There are reports that the hacking group demanded a ransom from Delta Dental, which the company refused to pay.

GreenSky is a financial services company headquartered in Atlanta, Georgia. It provides financial technology to banks and other organizations to facilitate loans to individuals. The company is currently owned by Goldman Sachs, but there is a deal in place for Goldman to sell GreenSky to an investment group in the fall of 2023. GreenSky was impacted by the use of Sovos Compliance software linked to the MOVEit exploit. It is estimated that around 250,000 individuals had their personal and financial data stolen in the cyber-attacks of May and June 2023.

Harvard Pilgrim Health Care is a health services company based in Massachusetts. It is a not-for-profit agency with ties to Harvard Medical School. Unlike the majority of companies and organizations on this list, the 2023 Harvard Pilgrim Data Breach was not linked to the MOVEit software vulnerability. The data breach came earlier in the spring, with the attacks taking place from mid-March to mid-April 2023. Harvard Pilgrim released a statement acknowledging the incident on April 17^th, 2023. The information that was compromised included names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and clinical information. Over 2.5 million patients’ confidential data may have been leaked in the data breach. The company set up a helpline and special call center to help those impacted by the data breach.

Midland States Bank is a banking group and financial services company that was founded in Illinois. As with most of the others, the data breach suffered by Midland States Bank was linked to the use of Sovos Compliance software and the MOVEit file transfer system. It is estimated that 215,000 customers and employees were impacted by the data breach.

Radius Global Solutions is a customer engagement services company that, among other services, specializes in debt collection across a range of industries, including healthcare. It discovered that it was impacted by the MOVEit vulnerability and exploitation in late May 2023. Around 600,000 people may have been impacted by the Radius data breach, which exposed sensitive information like social security numbers and healthcare data.

Barret Business Services Inc (BBSI) is a supplier of business management solutions, including consulting and human resource outsourcing. It is a global company with offices in New York City. As with Allegis Group, BBSI was impacted by the Sovos Compliance software’s use of the MOVEit file transfer system. Employees and those impacted were sent letters of notification in August 2023.

Sovos LLC is a cloud computing company that specializes in regulatory compliance software, helping businesses and clients with tax compliance in particular. Sovos represents a complex entity in the 2023 data breach cases. This is due to Sovos being a service provider that used the vulnerable MOVEit file transfer system and provided services to several of the companies on this list, exposing them to the Cl0p hacking group. In addition, Sovos LLC itself experienced a data breach, and it is facing a class action lawsuit for the loss of customer data.

Starmount Life Insurance is an insurance company that provides individual insurance policies and company employee benefits. The company used the MOVEit file transfer system to move customer records, and it was made aware of the data breach on June 4^th, 2023. It is estimated that 532,000 people with Starmount Life Insurance policies had their data exposed. This included social security numbers and other sensitive health information. 

TMG Healthcare is a healthcare solutions firm that provides technology and administrative solutions for the wider sector. The services range from audits claims processing, and marketing. TMG Healthcare was compromised in the MOVEit data breaches of 2023, with an estimated 192,000 individuals seeing their data exposed. A lawsuit taken out against TMG Healthcare in August 2023 alleges the company was negligent in its approach to data security.

Unum Group is an insurance provider with a history stretching back to 1848. Founded in Tennessee, it serves customers in the US and Europe. Unum Group was impacted by the MOVEit exploit, recognizing the data breach on June 1^st, 2023. As with other companies impacted by the MOVEit data breaches, Unum Group has been criticized in lawsuits for its delays in notifying impacted customers.

Can I sue if my data is breached?

Yes. Many of those impacted by the 2023 data breaches are already joining class action lawsuits to pursue compensation. Companies have a legal obligation to protect your data, and they may be forced to pay compensation.

How do I claim compensation?

The best way is to join one of the class action lawsuits. All of the companies on the above list will likely face legal action, with some of the lawsuits already filed. If your data has been compromised as a customer of one of the impacted companies, you can find out how to join the lawsuit to gain compensation. 

How do I get compensation for breach of contract?

A breach of contract is different from a data breach. A breach of contract is the act of breaking the terms set out in a contract or employment agreement. A data breach is the compromising of data by an authorized entity, normally a hacking group.

How do I know if I was part of a data breach?

The companies impacted by data breaches are obligated to inform you if your data has been compromised. Many of the companies mentioned above sent out letters to customers informing them that their details were – or possibly were – part of the data breach. If you are unsure, you may contact the company directly. Some of the organizations above have set up helplines for worried customers.

How long does data breach compensation take?

It depends on a number of factors: How the legal action moves through the court system; whether there is an acknowledgment of culpability on the part of the data holder; whether the company wishes to settle out of court by creating a compensation plan.

What actions must be taken if a data breach occurs?

For a company or organization experiencing a data breach with over 500 people impacted, there are laws that require them to report the incident to the relevant authorities and to those impacted by the data breach. In the examples above, most of the companies reported to the US Department of Health and Human Services Office for Civil Rights in the early summer of 2023, with notification letters sent out to those impacted in August 2023, more than two months after the data breach. These rules are covered in the HITECH Act.

What are the damages for a data breach lawsuit?

It depends on a number of factors. Claimants in the 2023 data breach class action lawsuits allege that the companies involved were negligent in their role as custodians of customer data, including financial data, social security records, and sensitive medical information. It may also depend on the “injury” caused by the data breach, including financial loss.

Who is legally liable for data breaches?

Any organization, business, or individual that misuses data may be liable in the event of a breach. The companies mentioned above may choose to take action against Progress Software as the supplier of the vulnerable MOVEit file transfer software. However, they also have a duty of care toward their own customers, which is why they are facing lawsuits.

Which companies are involved in the data breach lawsuit?

The companies impacted by the 2023 data breaches and that may be facing lawsuits include: Allegis Group, AmeriTrust, Barret Business Services, CareSource, Continental Casualty Company, Charles Schwab, Delta Dental, GreenSky, Harvard Pilgrim, Midland States Bank, Radius Global Solutions, Sovos, Starmount Life Insurance, TMG Healthcare, and Unum Group.