Commitments And Contingencies |
9 Months Ended |
---|---|
Jun. 30, 2025 | |
Commitments and Contingencies Disclosure [Abstract] | |
Commitments And Contingencies | COMMITMENTS AND CONTINGENCIES Litigation
We are subject to audits, investigations, and reviews relating to compliance with the laws and regulations that govern our role as a contractor to agencies and departments of federal, state, local, and foreign governments. Adverse findings could lead to criminal, civil, or administrative proceedings, and we could be faced with penalties, fines, suspension, or debarment. Adverse findings could also have a material adverse effect on us because of our reliance on government contracts. We are subject to periodic audits by federal, state, local, and foreign governments for taxes. We are also involved in various claims, arbitrations, and lawsuits arising in the normal conduct of our business, which include but are not limited to bid protests, employment matters, contractual disputes, and charges before administrative agencies. Except for the matters described below for which we cannot predict the outcome, we do not believe the outcome of any existing matter would likely have a material adverse effect on our consolidated financial position, results of operations, or cash flows.
We evaluate developments in our litigation matters and establish or make adjustments to our accruals as appropriate. A liability is accrued if a loss is probable and the amount of such loss can be reasonably estimated. If the risk of loss is probable, but the amount cannot be reasonably estimated, or the risk of loss is only reasonably possible, a potential liability will be disclosed but not accrued, if material. Due to the inherent uncertainty in the outcome of litigation, our estimates and assessments may prove to be incomplete or inaccurate and could be impacted by unanticipated events and circumstances, adverse outcomes, or other future determinations.
MOVEit Cybersecurity Incident Litigation
As the Company has previously disclosed, on May 31, 2023, Progress Software Corporation, the developer of MOVEit, a file transfer application used by many organizations to transfer data, announced a critical zero-day vulnerability in the application that allowed unauthorized third parties to access its customers’ MOVEit environments. Maximus uses MOVEit for internal and external file sharing purposes, including to share data with government customers related to Maximus's services in support of certain government programs. Based on its review of the impacted files to date, the Company has provided notices to individuals whose personal information, including social security numbers, protected health information, and/or other personal information, may have been included in the impacted files.
On August 1, 2023, a purported class action was filed against Maximus Federal Services, Inc. (a wholly-owned subsidiary of Maximus, Inc.) in the U.S. District Court for the Eastern District of Virginia arising out of the MOVEit cybersecurity incident – Bishop v. Maximus Federal Services, Case No. 1:23-cv-01019 (U.S. Dist. Ct. E. D. VA). The plaintiff, who purports to represent a nationwide class of individuals, alleges, among other things, that the Company’s negligence resulted in the compromise of the plaintiff’s personally identifiable information and protected health information. The plaintiff seeks damages to be proved at trial. Since then, thirteen similar cases have been filed in federal courts across the country (inclusive of one case filed in state court and removed to federal court by the Company).
On October 4, 2023, the United States Judicial Panel on Multidistrict Litigation granted a Motion to Transfer creating a Multidistrict Litigation (MDL) in the District of Massachusetts for all cases related to the MOVEit cybersecurity incident. Each of the actions pending in federal courts are centralized in the MDL.
On December 12, 2024, the Court granted in part Defendants' omnibus motion to dismiss Plaintiffs’ claims pursuant to Rule 12(b)(1), challenging Plaintiffs’ standing to bring this suit, dismissing claims brought by four of the Plaintiffs in the MOVEit MDL. None of the dismissed claims were asserted against the Company.
The Court has also named the Company as a bellwether defendant in the MDL. The Company and the other bellwether defendants submitted motions to dismiss the pending actions pursuant to Rule 12(b)(6), which the Court granted in part and denied in part on July 31, 2025. Approximately half of the claims asserted against the Company remain, and the Company is proceeding to discovery regarding those claims.
Separately, there is currently an individual action pending against the Company in Florida state court. On September 6, 2023, an individual action related to the MOVEit incident was filed in state court in the Florida Circuit Court for the 7th Judicial Circuit, Volusia County: Taylor v. Maximus Federal Services, Case No. 2023-12349 (Fla. Cir. Ct., 7th Jud. Cir., Volusia Cnty.). The plaintiff alleges, among other things, that the Company’s negligence resulted in the compromise of the plaintiff’s personally identifiable information and protected health information. The plaintiff seeks damages to be proved at trial. On April 3, 2024, the Court stayed this action pending further developments in the MOVEit MDL. This case remains stayed.
While the Company is unable to predict the ultimate outcome of any of the remaining proceedings, we have accrued an amount within a range of possible outcomes expected to be incurred to resolve the matters.
|