Commitments and contingencies
|12 Months Ended
Sep. 30, 2023
|Commitments and Contingencies Disclosure [Abstract]
|Commitments And Contingencies
|COMMITMENTS AND CONTINGENCIES
We are subject to audits, investigations, and reviews relating to compliance with the laws and regulations that govern our role as a contractor to agencies and departments of federal, state, local, and foreign governments. Adverse findings could lead to criminal, civil, or administrative proceedings, and we could be faced with penalties, fines, suspension, or debarment. Adverse findings could also have a material adverse effect on us because of our reliance on government contracts. We are subject to periodic audits by federal, state, local, and foreign governments for taxes. We are also involved in various claims, arbitrations, and lawsuits arising in the normal conduct of our business. These include but are not limited to bid protests, employment matters, contractual disputes, and charges before administrative agencies. Although we can give no assurance, based upon our evaluation and taking into account the advice of legal counsel, we do not believe that the outcome of any existing matter would likely have a material adverse effect on our consolidated financial position, results of operations, or cash flows.
We evaluate, on a regular basis, developments in our litigation matters and establish or make adjustments to our accruals as appropriate. A liability is accrued if a loss is probable and the amount of such loss can be reasonably estimated. If the risk of loss is probable, but the amount cannot be reasonably estimated, or the risk of loss is only reasonably possible, a
potential liability will be disclosed but not accrued. Due to the inherent uncertainty in the outcome of litigation, our estimates and assessments may prove to be incomplete or inaccurate and could be impacted by unanticipated events and circumstances, adverse outcomes, or other future determinations.
MOVEit Cybersecurity Incident Litigation
As the Company has previously disclosed, on May 31, 2023, Progress Software Corporation, the developer of MOVEit (“MOVEit”), a file transfer application used by many organizations to transfer data, announced a critical zero-day vulnerability in the application that allowed unauthorized third parties to access its customers’ MOVEit environments. Maximus uses MOVEit for internal and external file sharing purposes, including to share data with government customers related to Maximus's services in support of certain government programs. Based on its review of the impacted files to date, the Company has provided notices to individuals whose personal information, including social security numbers, protected health information, and/or other personal information, may have been included in the impacted files.
On August 1, 2023, a purported class action was filed against Maximus Federal Services, Inc. (a wholly-owned subsidiary of Maximus, Inc.) in the U.S. District Court for the Eastern District of Virginia arising out of the MOVEit cybersecurity incident – Bishop v. Maximus Federal Services, Case No. 1:23-cv-01019 (U.S. Dist. Ct. E. D. VA). The plaintiff, who purports to represent a nationwide class of individuals, alleges, among other things, that the Company’s negligence resulted in the compromise of the plaintiff’s personally identifiable information and protected health information.
Since August 1, 2023, approximately nine additional cases arising out of the MOVEit cybersecurity incident have been filed in federal courts against Maximus, Inc. and its subsidiaries. These cases each allege substantially similar allegations on behalf of putative nationwide classes and on behalf of various putative state subclasses.
On October 4, 2023, the United States Judicial Panel on Multidistrict Litigation (“JPML”) granted a Motion to Transfer that created a Multidistrict Litigation (“MDL”) in the District of Massachusetts for all cases in federal court related to the MOVEit cybersecurity incident, including cases filed against Maximus and other defendants, including Progress Software Corporation, the creator of MOVEit. All of the cases against Maximus, Inc. and its subsidiaries in federal courts outside of the District of Massachusetts that are related to the MOVEit cybersecurity incident have now been transferred to the MDL under the caption In re: MOVEit Customer Data Security Breach Litigation. The plaintiffs in Bishop and the other cases against the company in the MDL seek damages to be proved at trial. The Company is not able to determine or predict the ultimate outcome of these proceedings or reasonably provide an estimate or range of the possible outcome or loss, if any.
On September 6, 2023, an individual action was filed in state court in the Florida Circuit Court for the 7th Judicial Circuit, Volusia County: Taylor v. Maximus Federal Services, Case No. 2023-12349 (Fla. Cir. Ct., 7th Jud. Cir., Volusia Cnty.), also arising out of the MOVEit cybersecurity incident. The plaintiff alleges, among other things, that the Company’s negligence resulted in the compromise of the plaintiff’s personally identifiable information and protected health information. Since September 6, 2023, approximately six additional individual actions have been filed against Maximus, Inc. and its subsidiaries in Florida state courts. These actions all raise substantially similar allegations and legal claims. The plaintiffs in these individual actions seek damages to be proved at trial. The Company is not able to determine or predict the ultimate outcome of these proceedings or reasonably provide an estimate or range of the possible outcome or loss, if any.
On October 27, 2023, a purported class action was filed in state court in Marion Superior Court in Marion County, Indiana, against Maximus Health Services, Inc. (a wholly owned subsidiary of Maximus, Inc.): Solis Garcia v. Maximus Health Services, Inc., Case No. 49D12-2310-CT-042115 (Ind. Super. Ct., Marion Cnty.), again arising out of the MOVEit cybersecurity incident. The plaintiff, who purports to represent a class comprised of Indiana residents, alleges, among other things that the Company’s negligence resulted in the compromise of the plaintiff’s personally identifiable information and protected health information. The plaintiff seeks damages to be proved at trial. The Company is not able to determine or predict the ultimate outcome of any of these proceedings or reasonably provide an estimate or range of the possible outcome or loss, if any.
The Company is not able to determine or predict the ultimate outcome of any of these proceedings or reasonably provide an estimate or range of the possible outcome or loss, if any.
Census Project – Civil Investigation Demand (“CID”)
In 2021, Maximus received a CID from the U.S. Department of Justice (“DOJ”) pursuant to the False Claims Act seeking records pertaining to the Census project. The CID requested the production of documents related to the Company’s compliance with telephone call quality assurance scoring and reporting requirements. The Company is cooperating with the DOJ in its investigation and providing responses and information on an ongoing basis. The Company recorded an accrual of $3.4 million for the year ended September 30, 2023. While it is reasonably possible that losses exceeding the amount accrued may be incurred, it is not possible at this time to estimate the additional possible loss in excess of the amount already accrued.
Certain contracts require us to provide a surety bond as a guarantee of performance. As of September 30, 2023, we had performance bond commitments totaling $39.4 million. These bonds are typically renewed annually and remain in place until the contractual obligations are satisfied. Although the triggering events vary from contract to contract, in general, we would only be liable for the amount of these guarantees in the event of default in our performance of our obligations under each contract, the probability of which we believe is remote.