Communications Litigation Today was a Warren News publication.

Class Action Names Debt Collector as Sole Defendant in MOVEit Negligence Case

Cybercriminals broke into the systems of debt collection company Radius Global Solutions in May, resulting from the MOVEit software data breach, but the company didn’t inform individuals affected by the breach until September, said a Monday class action (docket 0:23-cv-03182) in U.S. District Court for Minnesota in Minneapolis. Radius, based in Edina, Minnesota, provides outsourced customer service and debt collection to healthcare providers, said the complaint. Plaintiff Frederick Smith of Georgia alleges Radius touts it “is a professional capable of and committed to safeguarding its clients’ data and the individuals’ information contained in that data,” but its pronouncements of being a “capable data custodian proved false.” Radius used “inadequate data security measures that it knew, or should have known, put the highly sensitive data they oversaw at significant risk of theft by or exposure to nefarious parties,” the complaint said. Plaintiffs and class members are at continued risk of harm due to the exposure and potential misuse of their sensitive personal information (SPI) by criminals, it said. Due to Radius’ “needless delay” in disclosing the data breach to the U.S. Department of Health and Human Services, on or about Aug. 4, plaintiff’s and class members’ data “had been acquired by cybercriminals,” and they “could not take remedial steps to protect their credit and accounts from malicious actors -- until months after the Data Breach occurred,” said the complaint. The defendant offered “little to no remedial measures” to Smith or class members “to protect their personal information and credit going forward,” the complaint said. Though Radius offered two years of identity monitoring and protection services, the “time-limited monitoring is inadequate given that Defendant’s victims are likely to face many years of identity theft,” the complaint said. The company urged them to check credit reports and place fraud alerts or freezes on their account and to “educate yourself regarding identity theft, fraud alerts, credit freezes, and the steps you can take to protect your personal information,” it said. A notice on the Radius website says it learned June 1 "of a vulnerability in the MOVEit web transfer application that Radius, along with several thousand other companies and government agencies," uses for transferring documents. When it learned cybercriminals exploited the vulnerability, Radius "immediately investigated its MOVEit database to assess its security and to identify any documents that may have been accessed by unauthorized actors," the company said. After determining some documents were accessed, it did a "comprehensive review of the impacted files to determine what information was present in the impacted files, to whom the information related, and contact information for applicable individuals," it said. Radius "then worked with its clients to notify individuals whose information was present in the files accessible to the unauthorized actors" due to the data breach. The company "promptly reviewed the identified documents" so it could notify "relevant individuals," and it continues to implement "necessary patching and measures to secure the MOVEit database as we learn new information," it said. Plaintiff Smith suffered “actual injury” from having his SPI exposed or stolen as a result of the data breach, including mitigation efforts to ensure his accounts weren’t being used for identity theft and fraud; changing passwords for accounts; damages to the value of his SPI; loss of privacy; and “impending injury” from the increased risk of identity fraud and theft, the complaint said. Smith claims negligence and unjust enrichment. He seeks awards of damages with pre- and post-judgment interest, injunctive relief and attorneys’ fees and costs.