A patient has filed a class-action lawsuit against the Johns Hopkins University and the Johns Hopkins Health System alleging “failure to properly secure and safeguard” patients’ personal and medical information compromised in a recent data breach involving MOVEit file transfer software. This same software has been implicated in multiple other cyber breaches nationwide involving large heath care organizations and companies, and likely many more that don’t know it yet.

The lawsuit, which lists Pamela Hunter as the plaintiff, accuses Hopkins of “intentionally, willfully, recklessly, or negligently failing to take and implement adequate and reasonable measures” to ensure sensitive information was protected. It estimates tens or hundreds of thousands of students, patients, and employees have been affected by the cyber breach.

In an online statement, Johns Hopkins said an “initial investigation suggests that the data breach may have impacted sensitive personal and financial information,” including names, contact information and billing records, but — in contrast to the lawsuit’s allegations — medical records were not compromised.

The breach occurred on May 31, the same day that Progress Software, which produces the file transfer program MOVEit, announced a vulnerability in the software. Hopkins said it notified affected patients in a letter mailed in mid-June, as soon as “the full scope and breadth of the incident,” was determined.

The Baltimore Banner thanks its sponsors. Become one.

Other health systems affected by the MOVEit cyber breach include UofL Health based in Louisville, Kentucky, and Houston-based Harris Health System. More than 200 companies have seen large-scale theft of customers’ and/or employees’ identifying and demographic information in the cyber hack, ranging from European airlines to U.S. government agencies to the multinational fuel corporation Shell. Some companies were exposed through contracted businesses that use MOVEit software. The breach has so far captured the data of millions.

Most lawsuits filed so far have focused on Progress Software, with at least 13 alleging poor cybersecurity filed against the manufacturer.

A Russia-linked cybercriminal group known as Clop has taken responsibility for the attacks, demanding ransom from some organizations in exchange for their stolen data and threatening to publish it if they don’t comply.

The investigation into the data breach is ongoing, Hopkins said, and patients will be notified as additional information becomes available. For now, the organization is urging affected individuals to take specific steps to review and protect their information, and is offering them two years’ worth of free credit monitoring.

Johns Hopkins did not immediately respond to request for comment regarding the lawsuit filed.


Sarah True was a public health reporter for the Baltimore Banner. She previously worked as a freelance journalist covering healthcare and health policy, and has been both a medical social worker and a health policy analyst in a past life. She holds dual Master’s degrees in public health and social work.

More From The Banner