Lawsuits Filed Against Johns Hopkins in MOVEit Hack MessUniversity, Healthcare System Facing Proposed Class Actions Suits for Data Breach
Johns Hopkins University and its Johns Hopkins Health System are facing at least two proposed federal class action lawsuits filed in recent days following the institution's disclosure that it was among victims of the recent spate of hacks involving MOVEit file transfer software.
The two lawsuits filed in the U.S. District Court for the District of Maryland - one on Friday and the other on Monday - make similar claims, including allegations of negligence by the research university and its healthcare system - including its flagship teaching hospital, for failing to protect individuals' sensitive information against compromise by cybercriminals.
Johns Hopkins University and John Hopkins Health System recently disclosed that they were among the many large organizations affected worldwide by cybersecurity attacks exploiting a vulnerability in Progress Software's widely used MOVEit file transfer application.
Ransomware group Clop has claimed credit for the attacks. Clop began targeting a previously unknown vulnerability in Progress Software's MOVEit software around May 27 and May 28 (see: Clop's MOVEit Campaign Affects Over 16 Million Individuals).
Progress Software first reported the MOVEit vulnerability and released an initial patch for the zero-day flaw on May 31. Since then, the company has discovered and issued patches for a few other vulnerabilities (see: MOVEit Discloses More Vulnerabilities, Issues Patch and Latest MOVEit Bug Is Another Critical SQL Injection Flaw).
Security experts estimate that at least 150 organizations have been affected by the attacks, which compromised the personal data of over 16 million individuals.
Johns Hopkins said its breach occurred May 31 and that the institution took immediate steps to secure its systems. "Our cybersecurity team is working closely with data security experts and law enforcement to determine what information was compromised. This investigation is ongoing," the university and its health system said in a joint public notice.
The organizations said the hack did not affected operations, but "initial evaluation shows the attack may have affected the information of Johns Hopkins employees, students and patients."
So far, Johns Hopkins has not publicly disclosed the number of people affected by its MOVEit hack, but the lawsuits estimate the total to be in the thousands or tens of thousands.
Johns Hopkins did not immediately respond to Information Security Media Group's request for comment on the lawsuits and for additional details about the data breach.
Both lawsuits seek monetary damages and injunctive relief requiring Johns Hopkins to implement security practices consistent with law and industry standards to protect consumers' personal identifiable information and protected health information. The data breach puts the plaintiffs and class members at an increased risk of identity theft, financial fraud and other crimes, the lawsuits allege.
"The data breach occurred as a direct result of defendants' failure to implement and follow basic security procedures in order to protect its customers' PII," alleges the lawsuit complaint filed Monday by lead plaintiffs Maria Gregory and Ayomiposi Asaolu.
That includes Johns Hopkins failing to ensure "the confidentiality, integrity, and availability of all electronically PHI the covered entity or its business associate creates, receives, maintains or transmits," the lawsuit alleges.
Even though the Johns Hopkins hacking incident occurred due to an exploited vulnerability in a third-party company's software, lawsuits filed against the university and its health systems - rather than the vendor - appear to make sense for some individuals affected by the data breach, some legal experts say.
"End users of the file transfer software allegedly responsible for the breach probably are the correct defendants," said regulatory attorney Paul Hales of Hales Law Group. Still, at this early stage, it is difficult for plaintiffs to plead actual concrete harm needed to bring a lawsuit in federal court, he said.
"This case and all MOVEit-based cases face a long, tortuous path of motions to dismiss, consolidation with other lawsuits and joinder of the software provider by defendants. It will be a tangled mess to sort out."
In addition to the lawsuits against Johns Hopkins, other individuals affected by MOVEit breaches have filed a handful of proposed class action lawsuits against Progress Software (see: MOVEit Data Breach Victims Sue Progress Software).