Johns Hopkins University and its affiliated health system are facing two proposed federal class action lawsuits in response to a recent cybersecurity breach involving the MOVEit file transfer software. The lawsuits, filed in the U.S. District Court for the District of Maryland, accuse the university and healthcare system of negligence for failing to adequately protect sensitive information from cybercriminals.
The breach, attributed to the Clop ransomware group, exploited a vulnerability in Progress Software’s MOVEit application, affecting numerous organizations worldwide and compromising the personal data of over 16 million individuals.
While the breach occurred on May 31, Johns Hopkins University only disclosed the incident recently and stated that immediate measures were taken to secure their systems. The university’s cybersecurity team is working with experts and law enforcement to investigate the extent of the compromised information.
While the impact on operations appears to be minimal, the breach potentially affected the personal information of Johns Hopkins employees, students, and patients.
Although the university has not publicly disclosed the number of affected individuals, the class action lawsuits estimate that the figure could be in the thousands or tens of thousands. The legal action seeks monetary damages and injunctive relief, requiring Johns Hopkins to implement industry-standard security practices to safeguard personal identifiable information and protected health information. The plaintiffs argue that the breach exposes them and other affected individuals to an increased risk of identity theft, financial fraud, and other crimes.
Legal experts suggest that filing lawsuits against Johns Hopkins University and its health system, rather than the vendor responsible for the software vulnerability, may be appropriate for affected end-users.
However, at this stage, it may be challenging for the plaintiffs to establish concrete harm necessary for federal court proceedings. The litigation process is expected to involve motions to dismiss, consolidation with other lawsuits, and the potential involvement of the software provider, resulting in a complex legal process.
In addition to the lawsuits against Johns Hopkins, Progress Software, the vendor behind MOVEit, has also faced legal action from individuals affected by the breaches.
The path forward for these cases is anticipated to be complicated and prolonged, involving various legal maneuvers and potential consolidation to sort out the intricate web of responsibility and liability surrounding the cybersecurity incidents.