Fortra GoAnywhere Hacking Lawsuits Consolidated in the Southern District of Florida
Dozens of lawsuits that were filed in response to the mass exploitation of a vulnerability in Fortra’s GoAnywhere MFT file transfer solution have recently been consolidated into a single lawsuit that will be heard in the Southern District of Florida.
The lawsuits stem from the mass exploitation of a vulnerability by the Clop group. The Clop group, aka Cl0p, is a financially motivated threat actor known for ransomware and extortion-only attacks, which has a history of exploiting vulnerabilities in file transfer solutions. Clop exploited flaws in the Accellion File Transfer Appliance in December 2020, SolarWinds Serv-U Managed File Transfer and Secure FTC software in November 2021, and Fortra’s GoAnywhere MFT solution between January and February 2023. Later in the year, Clop went on to exploit a zero-day vulnerability in Progress Software’s MoveIT Transfer solution.
More than 2,700 users of MOVEit software suffered attacks, the Fortra GoAnywhere vulnerability was exploited to attack around 130 organizations, and Accellion attacks affected more than two dozen organizations. In these attacks, Clop opted for data theft and extortion and chose not to encrypt files, even though the group claimed that it could have done so. Without encryption, attacks are faster and more efficient and there were no apparent attempts at wider compromises. The attacks have certainly proven to be profitable for Clop, which has raked in over $100 million in ransom payments this year from its mass exploitation attacks.
While these mass hacking incidents were similar and the subsequent lawsuits in each made similar claims, the U.S. Judicial Panel on Multidistrict Litigation opted not to consolidate the lawsuits against Accellion and its customers but did consolidate lawsuits related to the GoAnywhere and MoveIT hacking incidents. Organizations that were against consolidation in the Fortra lawsuits argued that the Judicial Panel on Multidistrict Litigation should similarly rule against consolidation as it did with the Accellion actions.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The decision to deny centralization in the Accellion actions, of which there were 26, was due to most parties opposing centralization organizing the litigation and preferring to cooperate informally, and because there were likely to be allegations specific to each defendant’s role in the breach of plaintiffs’ data since the vulnerability was present in a legacy file transfer solution that Accellion had been encouraging customers to migrate away from. The Fortra GoAnywhere solution is actively used by more than 100 organizations and is not a legacy product, therefore, there are likely to be significant questions about Fortra’s role in the ultimate exploitation of the vulnerability.
All of the GoAnywhere lawsuits are expected to share common and complex factual questions surrounding how the vulnerability occurred, the unauthorized access and data exfiltration, Fortra’s role in the vulnerability and the response to it, and the plaintiffs bringing largely overlapping putative nationwide class actions. Centralization of the actions offers substantial opportunities to streamline pretrial proceedings, reduce duplicative discovery and conflicting pretrial obligations, prevent inconsistent rulings on common evidentiary challenges and summary judgment motions, and conserve the resources of the parties, their counsel, and the judiciary.
The decision to centralize 46 actions across seven districts was supported by several of the organizations named in the lawsuits, including Aetna, Community Health Systems, Brightline, and Fortra. Anthem Insurance Companies Inc. was named in a single action and was against centralization, and plaintiffs in the District of Minnesota held no position on consolidation, although they favored Minnesota if consolidated. The Judicial Panel on Multidistrict Litigation chose the Southern District of Florida to hear the case, as that is where 18 of the lawsuits were filed, more than in any other appropriate transferee district.
The consolidated data breach litigation includes 18 actions against NationBenefits LLC/NationBenefits Holdings in the Southern District of Florida, 8 against Community Health Systems Inc./CHSPSC LLC in the Middle District of Tennessee, 7 against Intellihartx in the Northern District of Ohio, 4 actions against Brightline Inc in the Northern District of California, 4 against Aetna Inc/Aetna International and 3 against NationBenefits LLC in the District of Connecticut, 1 against Anthen Insurance Companies Inc in the Southern District of Indiana, and 1 against Fortra LLC in the District of Minnesota.
Update: May 8, 2025: A $20 million settlement has received preliminary approval from the court. A separate $7 million settlement has been approved to resolve claims against Brightline.
