Greater Rochester Independent Practice Association Settles MOVEit Data Breach Litigation
A settlement has been agreed to resolve claims against Greater Rochester Independent Practice Association (GRIPA) arising from the May 2023 data breach involving Progress Software’s MOVEit file transfer solution.
In May 2023, the Russian-speaking hacking group CL0p mass exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. Cl0p exploited the vulnerability to attack an estimated 2,700 companies that used the software, exfiltrated sensitive data, and then demanded payment to prevent the publication of the stolen data. Globally, almost 96 million individuals were affected. Cl0p proceeded to leak large amounts of data on the dark web when its ransom demands were not met.
In the United States, well over 100 class action lawsuits were filed against Progress Software and more than 100 client organizations over the attack and data breach. The plaintiffs alleged that the data breach could have been prevented by implementing industry-standard cybersecurity measures and protocols, such as software to detect suspicious activity, auditing the platform and Progress Software’s cybersecurity practices, and restricting the IP addresses that could access the platform and limiting the file types that could be uploaded.
The lawsuits had overlapping claims and were consolidated into a single multidistrict litigation, which was centralized in the U.S. District Court for the District of Massachusetts – In re: MOVEit Customer Data Security Breach Litigation. Progress Software made multiple bids to have the lawsuit dismissed, and in July 2025, the court largely denied the motions; however, it failed to dismiss the negligence claims under state law in California, Indiana, Michigan, and Ohio.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Several of the affected client organizations have already entered into settlements, including Bank of America, Nuance Communications, and Arietis Health. Now a settlement has been agreed to resolve claims against GRIPA related to the data breach, although the claims against Progress Software have not been resolved and will continue.
GRIPA faced four class action lawsuits over the data breach, the first of which was Clarke, et al. v. Progress Software Corp., et al, which were transferred to and coordinated with In re: MOVEit Customer Data Security Breach Litigation. GRIPA patients had their names, dates of birth, Social Security numbers, health & treatment information, health insurance information, pharmacy prescription information, and prescriber information compromised in the incident, and the publication of that data, according to the lawsuit, resulted in cognizable injuries. GRIPA faced claims for negligence, negligence per se, breach of third-party beneficiary contract, breach of implied contract, unjust enrichment, and declaratory and injunctive relief. GRIPA filed a motion to dismiss, which was denied in part and granted in part by the court on December 12, 2024.
GRIPA denies any wrongdoing and disagrees with the claims and contentions in the lawsuit. After considering the cost, expense, and length of proceedings, and the uncertainty of a trial and related appeals, the parties began settlement discussions. Mediation on June 10, 2025, was successful, with the material terms of a settlement agreed upon by all parties.
Under the terms of the settlement, GRIPA has agreed to establish a $2,150,000 settlement fund to pay claims made by the settlement class members. Claims will be paid after attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives have been deducted. Class members may submit a claim for reimbursement of up to $2,500 in ordinary losses, and up to $10,000 in extraordinary losses. Alternatively, if a claim for reimbursement of losses is not filed, class members may claim a one-time cash payment, estimated to be $100 per class member. The cash payments will be subject to a pro rata increase or decrease, depending on the number of valid claims received. In addition, all class members are entitled to file a claim for two years of complimentary credit monitoring and identity theft protection services.
The settlement has received preliminary approval from the court. The deadline for filing a claim is September 3, 2026. The final fairness hearing will be held on the same date. Individuals wishing to exclude themselves from the settlement or object to it must do so by August 4, 2026. Further information on the settlement can be found on the settlement website: https://www.moveitsettlementgripa.com/index.htm


