U.S. Fertility Offers to Pay $5.75 Million Settlement of Class Action Data Breach Lawsuit
U.S. Fertility LLC, which operates over 100 fertility clinics throughout the U.S., has offered to pay $5.75 million to resolve a class action lawsuit that was submitted in association with a data breach that compromised the information of about 900,000 individuals.
U.S. Fertility reported in November 2020 that attackers had acquired access to its system and deployed ransomware that made selected systems unavailable. The breach was discovered on September 14, 2020; nonetheless, the attackers initially acquired access to the system on August 12, 2020. Prior to encrypting files, the attackers extracted sensitive patient information which includes names, addresses, birth dates, Social Security numbers, MPI numbers, medical data, and financial data.
The class action lawsuit alleged the negligence of U.S. Fertility when it did not implement reasonable and proper cybersecurity steps to secure highly sensitive patient information from unauthorized access. If those measures were enforced, the breach could have been avoided or the severity could have been reduced. U.S. Fertility did not admit to any wrongdoing but decided to resolve the lawsuit.
As per the settlement conditions, all class members are eligible to claim a $50 cash payment. Those whose information was stolen from a clinic in California will be eligible to get an extra $200 cash payment. Claims for up to 4 hours of lost time worth $25 an hour may also be filed. Unpaid out-of-pocket losses may be claimed and will be paid up to as much as $15,000 for each claimant. Claims for reimbursement of losses should be backed by receipts, professional invoices, IRS documents, account statements, FTC reports, police reports, and other records. The cash payments could be lower and paid pro rata based on the number of claims filed.
Class members who do not agree to the settlement or would like to exclude themselves from the settlement can do so until February 20, 2024. Filing of claims is until March 19, 2024. The schedule of the final settlement hearing is on April 18, 2024.
Consolidated Fortra GoAnywhere Hacking Lawsuits in the Southern District of Florida
Several lawsuits associated with the mass exploitation of Fortra’s GoAnywhere MFT file transfer solution vulnerability have been combined into one lawsuit. The hearing of this consolidated lawsuit will be in the Southern District of Florida.
The lawsuits arise from the Clop group’s mass exploitation of a vulnerability. The Clop group, also known as Cl0p, is a financially driven attacker reputed for ransomware attacks as well as extortion-only attacks, which has been taking advantage of vulnerabilities in file transfer solutions. Clop was behind the exploitation of vulnerabilities in Fortra’s GoAnywhere MFT solution from January to February 2023, in SolarWinds Serv-U Managed File Transfer and Secure FTC software in November 2021, and in the Accellion File Transfer Appliance in December 2020. At the end of 2023, Clop also exploited a zero-day vulnerability identified in the MoveIT Transfer solution of Progress Software.
Over 2,700 MOVEit software users experienced attacks, about 130 companies were affected by the Fortra GoAnywhere vulnerability exploitation, and over two dozen companies were affected by Accellion attacks. In these cyberattacks, Clop decided on data theft and extortion and opted not to encrypt files, although the group stated that it may have done so. With no encryption, attacks are quicker and more effective and there were no obvious attempts at bigger exposures. The attacks were undoubtedly rewarding for Clop, which earned more than $100 million in ransom payments from mass exploitation attacks in 2024.
Although these mass hacking occurrences were identical and the succeeding legal cases each had the same allegations, the U.S. Judicial Panel on Multidistrict Litigation decided not to combine the lawsuits against Accellion and its clients but did combine lawsuits associated with the MoveIT and GoAnywhere hacking incidents. Companies that were against merging in the Fortra lawsuits asserted that the Judicial Panel on Multidistrict Litigation ought to equally rule against combination as it had done with the Accellion actions.
The choice to refuse centralization in the Accellion actions, which were 26, was because most groups did not agree to centralization organizing the litigation and chose to cooperate informally. Also, there were probably allegations particular to every defendant’s part in the breach of plaintiffs’ information since the vulnerability was found in a legacy file transfer solution that Accellion was telling clients to migrate from. The Fortra GoAnywhere solution is actively utilized by over 100 companies and is not a legacy solution, thus, there are probably important queries regarding Fortra’s part in the ultimate vulnerability exploitation.
All of the GoAnywhere legal cases are anticipated to have typical and complicated factual queries regarding how the vulnerability happened, the unauthorized access and data extraction, Fortra’s part in the vulnerability and the reaction to it, and the plaintiffs’ mostly overlapping putative countrywide class actions. Centralization of the actions provides considerable opportunities to improve pretrial proceedings, minimize duplicative discovery and contradictory pretrial obligations, avoid inconsistent rulings on well-known evidentiary issues and summary judgment motions, and save the resources of the parties, their advice, and the judiciary.
The choice to centralize 46 actions throughout seven districts was backed by a number of the companies referred to in the lawsuits, such as Aetna, Brightline, Community Health Systems, and Fortra. Opposing the centralization was Anthem Insurance Companies Inc., while plaintiffs in the District of Minnesota did not have any position on consolidation, though consolidation is preferred by Minnesota. The Judicial Panel on Multidistrict Litigation opted for the Southern District of Florida to take the case since that is where 18 lawsuits were submitted, greater than in any other proper transferee district.
The combined data breach litigation consists of 1 against Fortra LLC in the District of Minnesota, 1 against Anthen Insurance Companies Inc in the Southern District of Indiana, 3 against NationBenefits LLC in the District of Connecticut, 4 against Aetna Inc/Aetna International, 4 actions against Brightline Inc in the Northern District of California, 7 against Intellihartx in the Northern District of Ohio, 8 against Community Health Systems Inc./CHSPSC LLC in the Middle District of Tennessee, and 18 actions against NationBenefits LLC/NationBenefits Holdings in the Southern District of Florida.