A federal lawsuit alleges the University of Rochester was "negligent and reckless” in its handling of student and employee records, leading to a massive data breach this past May.
The university now has joined a growing list of institutions facing lawsuits over the cyberattack that targeted the file transfer software MOVEit.
Natasha Benton-Hill filed the lawsuit Tuesday in U.S. District Court. Benton-Hill, identified as a UR student in the lawsuit, claims the university did not adequately safeguard sensitive records and, after the breach, was slow to notify everyone affected, including her. Benton-Hill is listed in UR records as a patient unit secretary at Strong Memorial Hospital.
The lawsuit seeks class action status.
Similar claims have been brought against Johns Hopkins University and the Teachers Insurance and Annuity Association of America, or TIAA. And against Massachusetts-based Progress Software, makers of MOVEit.
The file management system is used to send and receive large quantities of data often involving sensitive information like billing statements or pension records. The software breach exposed an array of institutions from New York City public schools to Shell Oil, British Airways to the Louisiana and Oregon DMVs and to Estee Lauder and Mary Kay cosmetics.
Tech security firms tracking the cyberattack have counted upwards of 600 organizations affected, involving some 40 million individuals worldwide.
UR was among the first North American institutions to publicly report the breach in early June. The lawsuit claims hackers accessed the records of at least 88,000 people affiliated with UR. The lawsuit argues that the complimentary fraud and identity monitoring offered by UR is "wholly inadequate," and instead seeks damages.
Chicago-based Milberg Coleman Bryson Phillips Grossman PLLC is representing Benton-Hill, and has filed at least a half dozen lawsuits involving the MOVEit breach, including the one against TIAA.
In a statement, UR spokesperson Sara Miller wrote:
"Upon learning of Progress Software’s MOVEit product vulnerability, the University of Rochester launched a prompt and thorough response.
"This incident was part of a sophisticated attack by foreign cybercriminals against one of our third-party software providers. The university is committed to safeguarding the privacy of personal information in our possession and take many precautions to protect all of our data. We are continually evaluating and modifying cybersecurity practices and enhancing internal controls and reviews to adapt to the evolving cybersecurity landscape. We cannot comment further on pending litigation."
The breach mainly affected personal data of UR employees and students, and in some cases their dependents. The university's broader network security was not affected, she said, nor was UR Medicine's electronic health record system, eRecord and MyChart.
