Lawsuit Alleges Unum Group at Fault for MOVEit Data Breach
A Florida resident is taking legal action against the employee benefits provider, Unum Group, over its MOVEit Transfer data breach and alleges a failure to safeguard the personal information stored within its network. Unum Group was one of hundreds of victims of the mass exploitation of a zero-day vulnerability in the MOVEit Transfer solution. Progress Software issued a security alert about the vulnerability on May 31, 2023, and released a patch the same day; however, the vulnerability had already been exploited in attacks by the Clop group, resulting in the theft of sensitive data.
Unum Group announced on August 3, 2023, that it had been affected and there had been unauthorized access to the protected health information of former and current customers of its subsidiary insurance companies, including names, birth dates, addresses, Social Security numbers, and health insurance claim information. The breach was reported to the HHS’ Office for Civil Rights as affecting 531,732 individuals.
The lawsuit argues that Unum Group had an obligation to keep consumers’ data private and confidential under the Federal Trade Commission Act and HIPAA, yet failed to do so. A company cannot reasonably be expected to prevent a vulnerability from being exploited that is unknown at the time of exploitation when the software vendor has not confirmed a vulnerability exists and has not released a patch or suggested any mitigations.
The lawsuit – Williams v. Unum Group – alleges Unum was at fault for the data breach because it failed to properly encrypt data transmitted through the file transfer solution, did not redact consumers’ private information, and failed in its legal duty to audit, monitor and verify the security practices of its IT vendors. The lawsuit also takes issue with the time it took Unum Group to issue notifications – more than two months after the suspicious activity was detected – and for the lack of information in the notifications about the root cause of the breach. The lack of information made it difficult for victims of the breach to mitigate harm.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit alleges the plaintiff and class members now face a present and continuing risk of identity theft and fraud and are required to pay out-of-pocket expenses to prevent, detect, and recover from the misuse of their information, which is now in the hands of criminals. The lawsuit seeks class action certification, a jury trial, an award of actual damages, compensatory damages, statutory damages, and nominal damages, an award of punitive damages, and attorneys’ fees.
