2023 Blue Cross Blue Shield of Massachusetts Data Breach Lawsuit Says 804K People Affected by MOVEit Hack

New to ClassAction.org? Read our Newswire Disclaimer

A healthcare tech outfit that provides services to Blue Cross and Blue Shield of Massachusetts (BCBSM), among others, faces a proposed class action lawsuit in the wake of a massive 2023 data breach in which the personal and health information of more than 804,000 people was compromised by hackers. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here. 

The 32-page complaint against National Account Service Company (NASCO), BCBSM, Progress Software Corporation and Ipswitch, Inc. states that proposed class members, i.e., those who are covered by the case, are customers of insurance companies serviced by NASCO whose personal and/or health information was disclosed to unauthorized parties during the cyberattack that compromised the MOVEit file transfer service between roughly May 27 and May 31 of this year. 

The data breach lawsuit says that the information compromised in the incident included, but is not limited to, customers’ names, addresses, phone numbers, gender, dates of birth, email addresses, Social Security numbers, health insurance and medical ID numbers, dates of service, treatment and diagnostic codes, account details, medical device purchases and provider names. 

According to the complaint, NASCO learned of the MOVEit data breach, which affected several hundred companies, in July yet waited until approximately October 27, more than three months later, before beginning to notify victims. 

Related Reading: 2023 MOVEit Data Breach Lawsuits

The filing blames the disclosure of consumers’ sensitive data on the defendants’ inadequate cybersecurity measures. 

“This action seeks to remedy these failings and their consequences,” the lawsuit states.

Per the suit, Ipswitch is an IT software development firm that sells and distributes products such as the MOVEit file transfer service nationwide. Progress Software Corporation acquired Ipswitch in May 2019 and, through the acquisition, acquired MOVEit, the case says. 

The lawsuit contends that although Ipswitch and PSC have heavily touted their MOVEit products as capable of safely handling sensitive data, this is demonstrably false given that the platform’s insecurity was put on full display during the seismic cybersecurity incident earlier this year.

“Specifically, Defendants Ipswitch and Progress identified that MOVEit’s web-based front end is affected by a critical structured query language (SQL) injection vulnerability/attack vector that can be exploited by an unauthenticated attacker to access databases associated with the product.” 

The suit argues that the defendants should have known that MOVEit’s apparent vulnerabilities left the sensitive information of NASCO clients’ customers exposed to security threats. Despite this, the case says, neither Ipswitch nor PSC adequately tested or identified the platform’s vulnerabilities or patched the product to eliminate those threats.

At the same time, NASCO went on using MOVEit without adequately ensuring that it was secure, the lawsuit adds, while BCBSM shared proposed class members’ information via MOVEit and failed to ensure on its own end that the transfer service was safe.

The lawsuit looks to cover all United States residents whose personally identifiable information or personal health information was in the possession of National Account Service Company and was accessed in the MOVEit data breach by unauthorized parties, including all individuals who were sent notice about the incident. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.