DAYTON, Ohio (WDTN) — A new lawsuit alleges Dayton-based CareSource displayed negligence in its handling of customer data, and it is demanding the company be held accountable.

The lawsuit asserts that poor data security at CareSource allowed hackers to steal the personal information of more than three million customers earlier this year.

The breach took place toward the end of May and specifically targeted a file transfer program known as MOVEit.

CareSource utilized MOVEit, as did numerous other companies, schools and government entities across the globe. They all fell victim to a ransomware attack that has been traced back to a Russian cybercriminal group.

“Their game is to attack companies, steal data or assets, computers, ransomware, those devices, then ask for money — more escalated if companies don’t pay,” Aaron Pritz, Reveal Risk founder and CEO said. “The second tactic is to release the data they stole to the internet.”

The plaintiffs are represented by attorney Jesse A. Shore of Morgan & Morgan. The lawsuit against CareSource aims to attain class action status, in addition to seeking an unspecified amount of compensation for damages.

Upon being formally served with the lawsuit, CareSource will have a 21-day window to file its response in federal court.

In response to the report, a CareSource spokesperson sent 2 NEWS this statement:

“Upon learning CareSource members were impacted by a global cybersecurity event that exploited the MOVEit platform, CareSource launched a prompt and thorough response. We have notified potentially impacted members, offering two years of complimentary credit and identity monitoring. Right now, we are focused on responding to member inquiries and assisting them with resources to help safeguard their data.