Accellion's file transfer program, called FTA, is used by hundreds of businesses and government agencies, the suit says.

The company became aware on Dec. 16 of an attempt to hack the program and released patches Dec. 20 and 23. After another attack occurred Jan. 20, Accellion issued two more patches Jan. 25 and 28, according to the lawsuit.

An earlier lawsuit, filed Feb. 2 in Washington's King County Superior Court, identified the state auditor's office as an Accellion customer affected by the hack, adding that the PII of as many as 1.6 million Washington residents was exposed.

The March 8 lawsuit, filed by Tennessee resident Eugene Bolton, cites a statement from the University of Colorado that places the number of businesses and agencies affected by the hacks at about 300.

In addition to the Washington State Auditor's Office, affected businesses include the grocery store chain Kroger, law firm Jones Day, Singapore telecommunications company Singtel, the Reserve Bank of New Zealand, and the Australian Securities and Investments Commission, the suit says.

A March 7 report from The Associated Press added the Harvard Business School, Canadian aircraft maker Bombardier Inc. and rail firm CSX Corp. to the list.

Bolton's suit asks the court to certify two classes, one for those U.S. citizens whose PII was exposed in the December breach and a second class for those whose medical information was exposed.

The suit accuses Accellion of negligence and violations of the California Confidentiality of Medical Information Act, Cal. Civ. Code § 56.10, among other charges. It seeks damages, restitution, injunctive relief, attorney fees and costs.

Bolton is represented by Todd D. Carpenter of Carlson Lynch LLP in San Diego.