A federal judge today gave preliminary approval to an agreement that could settle one of the many class-action lawsuits triggered by a ransomware attack on the MOVEit file transfer system.
Nuance Communications, a voice-recognition software company acquired by Microsoft in 2022, has agreed to pay $8.5 million into a settlement fund, according to the preliminary agreement.
Many of the people who could file claims would be the patients of doctors who used Nuance software to record notes. Patients who could show that the breach caused "extraordinary" losses could ask for up to $10,000, and the standard "alternative cash payment" could be $100.
Nuance estimated that the MOVEit breach affected 1.2 million patients seeing its health care provider customers. The settlement figure amounts to about $7.08 per affected patient.
Class members could also get two years of free credit monitoring and identity theft protection.
U.S. District Judge Allison Burroughs, a judge in the U.S. District Court for the District of Massachusetts, ruled that patients or other affected people who want to opt out of the settlement will have to object by Nov. 24.
The final approval hearing is now set for March 18, 2026.
Lawyers for Nuance and the plaintiffs did not immediately respond to a request for comment.
What it means: Clients who received MOVEit attack breach notices but who are unwilling or unable to document that they face large, breach-related losses may not get much from settlement funds.
The history: MOVEit is a software system that helps users move big, sensitive data files.
A ransomware gang attacked the servers used to run MOVEit in May 2023 and ended up getting access to records on 93 million people.
Because many life and annuity issuers and support services providers used MOVEit to manage their data files, the attackers had access to the records of 26 million users of life insurance, annuities and retirement plan administration services.
The process: Burroughs is now managing pretrial proceedings for more than 100 federal suits related to the MOVEit breach through "multidistrict litigation" proceedings.
She is still deciding which cases will move forward through her court and which should be dismissed or will move forward elsewhere.
Burroughs is also organizing the cases into tracks and deciding matters such as which sets of state laws apply to which cases.
One order released in July, for example, affects suits filed against companies like Genworth, TIAA and Delta Dental of California.
The judge dismissed some of the plaintiffs' motions for "failure to state a claim" and let others continue.
She ruled that New York law applies to the cases involving TIAA. Genworth will face cases subject to the laws of California, Florida, New York, Texas and Virginia.
Lawyers for Genworth, TIAA and other life, annuity and retirement services companies involved in the proceedings did not respond to requests for comment.
An earlier settlement: Nuance is not the first MOVEit litigation party to negotiate a preliminary settlement figure.
Arietis, a health care billing software firm, said the MOVEit breach might have affected 1.9 million patients of health care providers that used Arietis billing systems. In January, it announced a preliminary settlement amount of $2.8 million, or $1.47 per affected individual.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.