A class-action lawsuit has been filed this week against a collection agency after it was the victim of a ransomware attack and data breach. The breach, which occurred in June 2024, involved unauthorized access by cybercriminals who targeted the defendant’s computer systems using ransomware, specifically a threat actor known as “Play.”
The breach was not detected until August, and affected individuals were notified last month. The delay in notification prompted concerns about the defendant’s data security measures and their capacity to protect sensitive information, leading to the lawsuit.
The defendant, a collection agency serving various businesses and healthcare providers, had stored a substantial amount of sensitive personal and health information, including names, addresses, social security numbers, health insurance details, medical records, and payment information. This information was exfiltrated by cybercriminals and has left individuals vulnerable to identity theft and fraud. The defendant’s website currently states: We are currently experiencing software and phone issues. We are sorry for the inconvenience. We hope to be back up and running in the next few days.
The plaintiffs are alleging that the defendant failed to take reasonable measures to protect the personal information that was entrusted to them by individuals and healthcare providers. Specifically, the claims made against the defendant include negligence in securing sensitive data, breach of implied contract, breach of fiduciary duty, and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.
The lawsuit asserts that the data breach resulted from the defendant’s inadequate cybersecurity practices, which left their systems vulnerable to foreseeable cyberattacks. The plaintiff argues that the defendant did not implement industry-standard security measures or provide timely notice to individuals impacted by the breach. The plaintiff also contends that the defendant’s failure to safeguard personal and health information led to significant financial and emotional distress for affected individuals, who now face an increased risk of identity theft, fraud, and potential misuse of their medical information.