Rosa et al v. Brightline, Inc.
Filing
21
TRANSFER ORDER re: pldg. ( 1 in MDL No. 3090), ( 2 in MDL No. 3090) Transferring 28 action(s) to Judge Rodolfo A. Ruiz in the S.D. Florida.Signed by Judge Karen K. Caldwell, Chair, PANEL ON MULTIDISTRICT LITIGATION, on 2/5/2024. Associated Cases: MDL No. 3090 et al. (LH)
UNITED STATES JUDICIAL PANEL
on
MULTIDISTRICT LITIGATION
IN RE: FORTRA FILE TRANSFER SOFTWARE
DATA SECURITY BREACH LITIGATION
MDL No. 3090
TRANSFER ORDER
Before the Panel: * NationsBenefits Holdings, LLC, and NationsBenefits, LLC,
defendants in eighteen actions in the Southern District of Florida, move under 28 U.S.C. § 1407
to centralize this litigation in the District of Minnesota. Defendants’ motion includes 46 actions
pending in seven districts, as listed on Schedule A. Since the filing of the motion, the Panel has
been notified of four additional related actions. 1
The motion to centralize is supported by the Aetna 2 and Community Health Systems3
defendants, defendant Brightline, Inc., and defendant Fortra LLC. Defendant Anthem Insurance
Companies, Inc., opposes centralization of the sole action against it, which is pending in the
Southern District of Indiana. Plaintiffs in the District of Minnesota action against Fortra take no
position on centralization but, if an MDL is created, suggest centralization in the District of
Minnesota. All other plaintiffs oppose centralization and, alternatively, suggest centralization in
the Southern District of Florida.
After considering the argument of counsel, we find that centralization of these actions in
the Southern District of Florida will serve the convenience of the parties and witnesses and
promote the just and efficient conduct of the litigation. All actions can be expected to share factual
questions arising from the January 2023 breach of defendant Fortra’s “GoAnywhere” managed
file transfer software, which was targeted by a Russian-linked ransomware group that leveraged
what are known as “zero-day” (i.e., “then-unknown”) exploits in the software to access customers’
data. All actions can be expected to share common and complex factual questions surrounding
*
One or more Panel members who could be members of the putative classes in this litigation have
renounced their participation in these classes and have participated in this decision.
1
These and any other related actions are potential tag-along actions. See Panel Rules 1.1(h), 7.1
and 7.2.
2
Aetna Inc., Aetna Corporate Services, LLC, Aetna Health Management, Inc., Aetna Health, Inc.,
Aetna International, LLC, Aetna Resources, LLC, and Aetna Life Insurance Company.
3
CHSPSC, LLC, and Community Health Systems, Inc.
-2how the Fortra GoAnywhere vulnerability occurred, the unauthorized access and data exfiltration,
and Fortra’s response to it, which impacted all the various downstream defendant users of the file
transfer software and individual plaintiffs. Plaintiffs are individuals whose protected health
information or personal identifying information was potentially compromised. They bring largely
overlapping putative nationwide class actions on behalf of persons impacted by the exploitation of
the Fortra data breach. Centralization offers substantial opportunities to streamline pretrial
proceedings; reduce duplicative discovery and conflicting pretrial obligations; prevent inconsistent
rulings on common evidentiary challenges and summary judgment motions; and conserve the
resources of the parties, their counsel, and the judiciary.
Plaintiffs in all but the District of Minnesota action against Fortra oppose centralization,
arguing that the parties’ efforts to consolidate the litigation where defendants are based, as well as
other informal coordination efforts, are sufficient alternatives to centralization. These informal
arrangements are not insignificant—due to the consolidation of most actions against separate
defendants in each district, the fifty total actions effectively have been reduced to ten. Even so,
we view centralization as creating more efficiencies and requiring the management efforts of many
fewer judges to establish a pretrial structure, facilitate coordination across districts, and make
procedural and substantive rulings. Critically, there appears to be considerable overlap among the
putative classes. Some members of the putative classes against the various defendants are the
same. The District of Minnesota case against Fortra defines its putative class as one that potentially
encompasses all other actions: “All persons whose Private Information was compromised as a
result of the [Fortra] Data Breach, including those who were sent a Notice of Data Breach[.]” See
Consol. Class Action Compl. ¶ 17, Anderson v. Fortra, C.A. No. 0:23-533 (D. Minn.), ECF. No.
50. Further, the Northern District of California defendant Brightline, which used Fortra’s
GoAnywhere software, contracts with commercial insurance carriers, employers, and consultants
to help provide services to their subscribers, members, and clients. District of Connecticut
defendant Aetna, an insurance carrier, is one of Brightline’s customers. Two of the named
plaintiffs in the District of Minnesota case against Fortra allege that they received notice of the
Fortra incident from Brightline. Further underscoring the overlap among the putative class
members, seventeen plaintiffs bring claims against both Aetna in the District of Connecticut and
against Aetna’s vendor NationsBenefits in the Southern District of Florida.
Plaintiffs opposing transfer argue that the Panel’s decision denying centralization in In re
Accellion, Inc., Customer Data Security Breach Litigation, 543 F. Supp. 3d 1372, 1374 (J.P.M.L.
2021), should dictate a similar denial of centralization here. But Accellion is distinguishable. That
litigation involved 26 actions (and related actions) arising from a breach of a “legacy” file transfer
appliance that Accellion allegedly had encouraged its customers to migrate away from. Id. The
Panel denied centralization, in part, because most parties opposed centralization, had largely selforganized the litigation, and preferred to informally cooperate. Id. (“Most parties, including two
defendants, oppose centralization, and have cooperated to organize all but two actions into three
coordinated or consolidated proceedings.”). As in Accellion, there may be allegations specific to
each defendant’s role in the breach of a particular plaintiff’s data. 4 But this litigation—regardless
4
The Panel also denied centralization because:
any factual overlap among the actions as to Accellion’s FTA product, its vulnerability
-3of whether Fortra is named as a defendant in a particular case—poses significant questions about
Fortra’s role in the ultimate exploitation of the GoAnywhere vulnerability. In contrast to the
product at issue in Accellion, Fortra’s transfer software here is used by over a hundred
organizations—seemingly far from a “legacy” product.
We are persuaded that the Southern District of Florida is the appropriate transferee district
for these cases. More cases are pending in this district than in any other district, and Judge Rodolfo
A. Ruiz II has taken preliminary steps to organize this litigation. We are confident that Judge Ruiz
will steer this litigation on a prudent course to resolution.
IT IS THEREFORE ORDERED that the actions listed on Schedule A and pending outside
the Southern District of Florida are transferred to the Southern District of Florida and, with the
consent of that court, assigned to the Honorable Rodolfo A. Ruiz II for coordinated or consolidated
proceedings with the actions pending there and listed on Schedule A.
PANEL ON MULTIDISTRICT LITIGATION
_______________________________________
Karen K. Caldwell
Chair
Nathaniel M. Gorton
David C. Norton
Dale A. Kimball
Matthew F. Kennelly
Roger T. Benitez
Madeline C. Arleo
to attack, and its alleged support of this “legacy” product may be eclipsed by factual
issues specific to each client defendant. Opponents of centralization argue that, rather
than a single data breach, there were numerous data breaches of each client defendant,
occurring at different times and involving each client defendant’s own servers.
Moreover, each client defendant’s knowledge of the FTA’s alleged vulnerability to
attack will be unique, as will Accellion’s alleged efforts to urge each client to migrate
to its newer file sharing product.
Accellion, 543 F. Supp. 3d at 1374.
IN RE: FORTRA FILE TRANSFER SOFTWARE
DATA SECURITY BREACH LITIGATION
MDL No. 3090
SCHEDULE A
Northern District of California
ROSA, ET AL. v. BRIGHTLINE, INC., C.A. No. 3:23−02132
JACKSON v. BRIGHTLINE, INC., C.A. No. 3:23−02291
NDIFOR v. BRIGHTLINE, INC., C.A. No. 3:23−02503
CASTRO v. BRIGHTLINE, INC., C.A. No. 3:23−02909
District of Connecticut
ROUGEAU v. AETNA INC., C.A. No. 3:23−00635
VOGEL v. AETNA, INC., C.A. No. 3:23−00740
BANKS, ET AL. v. AETNA, INC., C.A. No. 3:23−00779
W., ET AL. v. AETNA INTERNATIONAL, LLC, ET AL., C.A. No. 3:23−00873
LIZOTTE v. NATIONSBENEFITS, LLC, ET AL., C.A. No. 3:23−00906
GUERRERO v. NATIONSBENEFITS, LLC, C.A. No. 3:23−00910
WILCZYNSKI v. NATIONSBENEFITS, LLC, ET AL., C.A. No. 3:23−00912
Southern District of Florida
SKURAUSKIS, ET AL., v. NATIONSBENEFITS HOLDINGS, LLC, ET AL.,
C.A. No. 0:23−60830
SKUYA v. NATIONSBENEFITS, LLC, C.A. No. 0:23−60846
SEZAWICH v. NATIONSBENEFITS, LLC, C.A. No. 0:23−60877
HASSAN v. NATIONSBENEFITS HOLDINGS, LLC, C.A. No. 0:23−60885
VEAZEY, ET AL. v. NATIONSBENEFITS, LLC, C.A. No. 0:23−60891
CALIENDO v. NATIONSBENEFITS, LLC, ET AL., C.A. No. 0:23−60927
WILSON v. NATIONSBENEFITS, LLC, C.A. No. 0:23−60949
WILCZYNSKI v. NATIONSBENEFITS, LLC, ET AL., C.A. No. 0:23−60950
GUERRERO v. NATIONSBENEFITS, LLC, C.A. No. 0:23−60951
BANKS, ET AL. v. NATIONSBENEFITS, LLC, C.A. No. 0:23−60976
FUSS, ET AL. v. NATIONSBENEFITS, LLC, C.A. No. 0:23−61014
DEKENIPP v. NATIONSBENEFITS, LLC, ET AL., C.A. No. 0:23−61089
CLANCY v. NATIONSBENEFITS, LLC, ET AL., C.A. No. 0:23−61107
WANSER v. NATIONSBENEFITS, LLC, C.A. No. 0:23−61141
LIZOTTE v. NATIONSBENEFITS, LLC, ET AL., C.A. No. 0:23−61209
A.T. v. NATIONSBENEFITS HOLDINGS, LLC, ET AL., C.A. No. 0:23−61325
KING v. NATIONSBENEFITS LLC, ET AL., C.A. No. 0:23−61373
SW v. AETNA INTERNATIONAL LLC, ET AL., C.A. No. 0:23−61548
Southern District of Indiana
SHEPHERD v. ANTHEM INSURANCE COMPANIES, INC., ET AL.,
C.A. No. 1:23−00693
District of Minnesota
ANDERSON, ET AL. v. FORTRA LLC, C.A. No. 0:23−00533
Northern District of Ohio
IN RE INTELLIHARTX DATA SECURITY INCIDENT LITIGATION,
C.A. No. 3:23−01224
KELLY v. INTELLIHARTX, LLC, C.A. No. 3:23−01338
CABRALES v. INTELLIHARTX, LLC, C.A. No. 3:23−01439
TIMMONS v. INTELLIHARTX, LLC, C.A. No. 3:23−01452
MCDAVITT v. INTELLIHARTX, LLC, C.A. No. 3:23−01499
TERWILLIGER, ET AL. v. INTELLIHARTX, LLC, ET AL., C.A. No. 3:23−01509
FULLINGTON v. INTELLIHARTX, LLC, C.A. No. 3:23−01918
Middle District of Tennessee
KUFFREY v. COMMUNITY HEALTH SYSTEMS, INC., ET AL., C.A. No. 3:23−00285
MARTIN v. COMMUNITY HEALTH SYSTEMS, INC., ET AL., C.A. No. 3:23−00354
GATTI v. CHSPSC, LLC, C.A. No. 3:23−00371
CASELLA v. CHSPSC, LLC, C.A. No. 3:23−00396
TATUM, ET AL. v. CHSPSC, LLC, C.A. No. 3:23−00420
FERGUSON v. COMMUNITY HEALTH SYSTEMS, INC., ET AL.,
C.A. No. 3:23−00443
MCGOWAN v. COMMUNITY HEALTH SYSTEMS, INC., ET AL.,
C.A. No. 3:23−00520
UNDERWOOD, ET AL. v. COMMUNITY HEALTH SYSTEMS, INC., ET AL.,
C.A. No. 3:23−00565
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?