Duane Morris Takeaway:This week's episode of the Class Action Weekly Wire features Duane Morris partner Jerry Maatman and associate Ryan Garippo and Andrew Quay with their discussion of a major settlement in the data breach class action space.
Check out today's episode and subscribe to our show from your preferred podcast platform: Spotify, Amazon Music, Apple Podcasts, Samsung Podcasts, Podcast Index, Tune In, Listen Notes, iHeartRadio, Deezer, and YouTube.
Episode Transcript
Jerry Maatman: Thank you, loyal blog readers, for being here again for our next episode of our podcast series entitled the Class Action Weekly Wire. I'm Jerry Maatman, a partner with Duane Morris, and joining me today are my colleagues Ryan Garippo and Andrew Quay. Thanks for being here.
Ryan Garippo: Thanks for having me, Jerry. Great to be here.
Andrew Quay: Glad to be here. Thanks, Jerry.
Jerry: Today, we're going to dive into a ruling granting final settlement approval in litigation entitled In Re Fortra File Transfer Software Data Breach Security Litigation – certainly a mouthful. Ryan, can you give our podcast listeners some background on what this litigation was all about?
Ryan: Yeah, of course, Jerry. This case is one that stems from a massive data breach that occurred a couple years ago, back in January of 2023, linked to the Clop ransomware group, which is a Russian-based operation. They exploited a zero-day vulnerability in Fortra's GoAnywhere MFT software, which a lot of health and financial institutions use to securely transfer files. As a result, the hackers allegedly used that vulnerability to access and steal the personal health information of at least 5 million people.
Jerry: Were there any organizations that were impacted, or strictly just individuals?
Andrew: There were. The breach also affected about 130 organizations, including big names like Aetna, Community Health Systems, and NationsBenefits, all of which ended up as defendants in the resulting lawsuits.
Jerry: So, for our listeners, this case ended up then in a multidistrict litigation proceeding venued in the U.S. District Court for the Southern District of Florida, is that right?
Ryan: Yeah, that's right, Jerry. It's common practice in these data breach cases where, several dozen lawsuits are filed across the country, at least here, two dozen were filed, and they ultimately get consolidated into a multidistrict litigation, which here was in February of 2024, before Judge Rodolfo Ruiz. Plaintiffs' consolidated complaints allege that the defendants failed to adequately protect their private health information of the plaintiffs and the settlement class from the unauthorized access. They also assert multiple counts of common law and statutory violations, all of which seek relief coming from the same events.
Andrew: And to follow up with Ryan, after the parties settled the claims, Judge Ruiz just issued final approval of a $20 million global settlement, which followed a separate $7 million settlement that was reached earlier in the year with a subclass of plaintiffs who sued another big defendant, Brightline.
Jerry: Let's talk a little bit about specifics and drill down. What was exactly encompassed within the $20 million settlement?
Ryan: Well, the settlement is a $20 million cash fund to cover class member benefits, attorneys' fees, and administration costs. However, each member can choose between up to $5,000 in documented losses, or a flat $85 cash payment.
Jerry: What about non-monetary benefits? I understand that those can be determinative in data breach class action settlements.
Andrew: There's the option for dark web monitoring, except for the Brightline subclass, as those class members had already elected credit monitoring under the earlier settlement. However, the settlement does not constitute any admission of fault or liability by the defendants. That's standard language in these types of agreements, but it's worth noting that the court also emphasized this was not a ruling on the validity of the claims or the defenses.
Jerry: What did the judge do with respect to the plaintiffs' petition for an award of attorney's fees and costs?
Ryan: Well, the plaintiffs' attorneys, of course, needed their fees, and he awarded up to 33% of the $20 million, which comes out to $6.67 million for the class counsel. There was also $263,800 in litigation costs separately, so about $2.3 million in attorneys' fees for the Brightline subclass counsel as well.
Andrew: And just to highlight this, following the settlement several defendants, including Fortra, NationsBenefits, Intellihartx, Imagine360, and Community Health Systems have provided attestations confirming they've enhanced their cybersecurity to prevent future breaches.
Jerry: We've seen several large and significant class action settlements in the data breach space so far in 2025, including a ruling granting preliminary settlement approval to a $177 million settlement in In Re AT&T Inc. Customer Data Security Breach Litigation. When you measure that against what occurred in Florida, what do you think with respect to the terms being fair, adequate, and reasonable to the settlement class here?
Ryan: Well, the court stated that "despite the risks involved with further litigation, the Settlement provides outstanding benefits, including Cash Payments, Dark Web Monitoring, injunctive relief, for all Settlement Class Members." in which we just discussed. In light of those factors, the court found the settlement to be "fair, reasonable, and adequate," and there were no objections filed, which, for a class of this size, is fairly significant. So, it usually means that the settlement terms were both well-structured and negotiated.
Jerry: So, at a 100,000-foot level, what would be the takeaways for corporate counsel with respect to this litigation?
Andrew: Well, it's highly important for companies to monitor any vulnerabilities and proactively invest in cybersecurity. These attacks can happen fast and get more sophisticated by the day. And for companies holding sensitive data – particularly health data – regulators, plaintiffs' attorneys, and courts are all watching, so make sure that you are in compliance and engaging in best practice cybersecurity measures.
Jerry: Well, thanks, Ryan and Andrew. These are great insights, and listeners, thanks for joining us today, and appreciate my colleagues breaking down this settlement and what it means for corporate counsel. So please, listeners, join us for future episodes of the Class Action Weekly Wire, and subscribe to stay updated to the latest trends in class action litigation.
Ryan: Thanks for having me on the podcast, Jerry, and as always, thanks to the listeners for joining us.
Andrew: Thanks, everyone.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.
