Overview
A federal court has rejected a second attempt by bellwether defendants in the MOVEit multi-district litigation to have negligence claims thrown out, ruling that such claims may proceed under the laws of California, Indiana, Michigan, and Ohio. The defendants — Progress Software, the maker of the MOVEit file-transfer application, along with several of its enterprise customers — argued the claims were barred by the economic-loss rule, which generally limits tort recovery to physical harm rather than purely financial injury. The court disagreed, allowing the litigation to advance.
The MOVEit breach, first disclosed in 2023, exposed data held by hundreds of organizations worldwide after the Cl0p ransomware group exploited a zero-day SQL injection vulnerability in Progress Software's managed file-transfer product. Among the affected organizations were healthcare providers, insurers, and business associates that relied on MOVEit to transmit sensitive patient and member data. The resulting litigation consolidated thousands of individual suits into multi-district proceedings in federal court.
The court's second refusal to dismiss on negligence grounds signals that plaintiffs have cleared a significant procedural hurdle. Defendants face the prospect of discovery, class certification proceedings, and potential trial or settlement on the merits — exposing both the software vendor and its downstream customers to liability for harm flowing from the breach.
## Key developments
Economic-loss rule rejected as a complete bar. Defendants argued that because plaintiffs suffered financial rather than physical harm, state tort law shielded them from negligence liability. The court declined to apply that bar categorically, finding that the specific facts and applicable state statutes in California, Indiana, Michigan, and Ohio permitted negligence claims to proceed despite the absence of physical injury.
Vendor and customer defendants face shared exposure. The litigation names not only Progress Software but also organizations that deployed MOVEit as customers. This dual-defendant structure illustrates how courts are willing to examine the entire chain of custody for sensitive data — from the vendor that wrote and maintained the software to the enterprises that chose to deploy it without adequate safeguards.
Second failed dismissal motion raises settlement pressure. When defendants lose a second motion to dismiss, litigation dynamics shift materially. Continued defense costs, approaching class-certification hearings, and the risk of adverse discovery findings typically increase the incentive to negotiate resolution, as occurred in several prior large-scale healthcare breach MDLs.
Scope of affected data heightens damages exposure. Because many MOVEit users were healthcare entities transmitting protected health information, the breach implicated not only financial records but also diagnoses, treatment histories, and other sensitive data categories that courts and juries tend to treat as warranting elevated damages.
Industry impact
The MOVEit litigation represents one of the largest data-breach MDLs in U.S. history by number of affected individuals and defendant organizations. The breach touched an estimated 2,600 or more organizations globally, with tens of millions of individuals' records exposed — a significant proportion of them patients or health-plan members. According to IBM's Cost of a Data Breach Report, healthcare consistently records the highest average breach cost of any industry, exceeding $10 million per incident in recent years, figures that inform the damages calculations plaintiffs' counsel will present.
The court's ruling also has implications beyond this single case. It signals that federal judges handling large-scale software-supply-chain breaches are prepared to hold both vendors and enterprise customers accountable in tort, not merely in contract. For healthcare-specific deployments, that means covered entities and business associates that selected, configured, and operated file-transfer tools without documented risk assessments and security controls may find themselves standing alongside the vendor at the defense table rather than being treated as purely downstream victims.
OCR's breach portal reflects dozens of MOVEit-related breach reports filed by covered entities and business associates, underscoring the extent to which this single vulnerability propagated through the healthcare sector's data-sharing infrastructure.
## What this means for independent practices
- Audit all managed file-transfer tools in current use. Confirm that each tool — particularly any used to exchange PHI with billing companies, labs, imaging centers, or health plans — has received all security patches and is operating on a supported version.
- Review business associate agreements with file-transfer vendors. BAAs should clearly allocate responsibility for timely patch deployment, breach notification, and indemnification. Agreements that predate 2023 may not reflect current risk.
- Document the risk assessment that accompanied vendor selection. Courts and OCR alike examine whether covered entities conducted documented due diligence before entrusting a vendor with PHI. A written risk analysis is both a HIPAA requirement and a litigation defense.
- Confirm that vendors carry adequate cyber liability coverage. A vendor's insolvency or coverage gaps following a major breach can leave a practice holding shared liability with no indemnification path.
- Establish a process for monitoring vendor security advisories. Practices that rely on vendors to self-report vulnerabilities are exposed to the same timing gap that Cl0p exploited in the MOVEit case — a zero-day known to attackers before it was known to defenders.
Independent practices that transmit PHI through third-party file-transfer or managed-file-exchange services carry real exposure when those services fail. The MOVEit litigation demonstrates that deploying a vendor tool is not a transfer of responsibility: courts are examining whether the organizations that used MOVEit took reasonable steps to vet, configure, monitor, and contractually protect that relationship. Practices that treat vendor selection as a one-time administrative task rather than an ongoing security and compliance discipline face the same exposure as the enterprise defendants named in this MDL.
What would have prevented this
Timely patch and vulnerability management: A documented process for monitoring vendor security advisories and applying critical patches within a defined window — particularly for internet-facing file-transfer systems — would have reduced exposure during the period between Cl0p's exploitation of the zero-day and Progress Software's public disclosure.
Network segmentation around file-transfer services: Isolating managed file-transfer infrastructure from broader internal networks limits an attacker's ability to move laterally after exploiting a vulnerability, containing the volume of data accessible during a compromise.
Continuous monitoring and anomaly detection on data-transfer endpoints: Logging all file-transfer activity and alerting on anomalous volumes, access patterns, or off-hours transfers enables defenders to detect exploitation attempts before mass exfiltration occurs.
Third-party vendor security assessments prior to deployment: Conducting documented security reviews — including review of a vendor's patch cadence, penetration-testing history, and incident-response obligations — before deploying any tool that handles PHI identifies risk before a contract is signed rather than after a breach is disclosed.
Contractual security standards and audit rights in BAAs: Business associate agreements that specify minimum security requirements, mandatory patch timelines, and the covered entity's right to audit compliance create both an incentive for vendors to maintain controls and a documented foundation for indemnification claims if controls fail.