People Whose Information Was Exposed in the MOVEit Hack May Be Owed Money After Mass Data Theft

In May 2023, a hacking group known as CL0P exploited a vulnerability in MOVEit Transfer — a widely used file transfer software made by Progress Software. Within days, the hackers had stolen data from thousands of organizations around the world that use MOVEit to move sensitive files.

The data stolen includes Social Security numbers, financial records, health information, and personal identifying information belonging to an estimated 100 million or more people. Major organizations affected include Louisiana's Office of Motor Vehicles, the Oregon DMV, Siemens Energy, PricewaterhouseCoopers, the Louisiana Department of Education, and many hospitals and healthcare systems.¹

Lawsuits allege that Progress Software failed to adequately protect its product against a known class of vulnerability, and that the affected organizations failed to protect customer and patient data.

What the MOVEit Lawsuit Is About

MOVEit Transfer is a software tool used by government agencies, hospitals, banks, universities, and corporations to securely move files internally and between organizations. Because so many large institutions use MOVEit, a single vulnerability in the software exposed data from thousands of organizations at once.

The vulnerability exploited by CL0P was a type called a SQL injection flaw — a well-known category of cybersecurity weakness. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert (AA23-158A) and a list of affected organizations as the scope of the breach became clear throughout 2023.²

Because MOVEit is used by healthcare organizations, many of the stolen records contain highly sensitive medical information. For government agency victims, Social Security numbers and driver's license information were frequently exposed.

Who May Qualify

You may qualify if either of these applies to you:

1. You received a notice from a hospital, government agency, employer, school, or other organization that your data was exposed in the MOVEit breach, OR
2. You have reason to believe your data was held by an organization that used MOVEit — and your personal, financial, or medical information was exposed.

What Could This Mean for You?

If you qualify, you may be owed money for the unauthorized exposure of your personal information, time spent dealing with the breach, and related harm. In many states, the exposure itself — without proven financial loss — is enough to pursue a case.

We will not quote individual amounts. What any case may be worth depends on the specific harm and how the courts handle these matters. The case check is free and costs you nothing to start.

Filing Deadline

Data breach statutes of limitations vary by state — typically one to three years from the time you knew or should have known. Since most people received notices in 2023, some state deadlines may be approaching soon. Don't wait to find out where you stand.

How the Process Works

1. Fill out the free form — no cost, no commitment.
2. A lawyer reviews whether your information was likely exposed.
3. If you qualify, you pay nothing unless you receive money.
4. Your case is filed in the MDL or appropriate court.

Common Questions

How do I know if my data was in MOVEit?

Breach notification letters will often mention MOVEit by name. You can also check haveibeenpwned.com — a free tool that shows if your email was involved in known breaches.

What if I don't know which organization had my data?

Many people don't know all the organizations that hold their information. A lawyer can help investigate.

This happened in 2023 — isn't it too late?

No. Statutes of limitations are still running in most states. Check your options soon.

Do I need to show I was financially harmed?

Not necessarily. Many states allow recovery for the unauthorized exposure of personal data alone — even without proven financial loss.

What if I got a settlement check from one of the organizations — does that affect my case?

Possibly. Speak with a lawyer before accepting any settlement payment from an affected organization.