$17.5 Million Settlement Resolves Infosys McCamish Systems Data Breach Lawsuit
A settlement has been agreed to resolve multiple Infosys McCamish Systems class action lawsuits that were filed in response to a 2023 ransomware attack and data breach that involved unauthorized access to the personal data of more than 6 million individuals. Infosys is India’s second-largest IT services provider, and Infosys McCamish Systems is a U.S. subsidiary that provides life insurance and retirement software and services. In November 2023, Infosys McCamish Systems discovered its systems had been breached in a ransomware attack. The forensic investigation confirmed that an unauthorized cyber actor had access to its systems between October 29 and November 2, 2023, exfiltrated sensitive data, and used ransomware to encrypt files.
The LockBit ransomware group claimed responsibility for the attack and demanded a ransom, payment of which was required to obtain the keys to decrypt data and prevent the stolen data from being made public. A LockBit representative claimed that Infosys McCamish offered to pay $50,000 to prevent the release of the stolen data but the lowball offer was refused and the stolen data was leaked.
In an April 2024 update on the incident, Infosys McCamish explained that the affected systems were substantially restored by December 31, 2023, and its third-party cybersecurity investigation confirmed that sensitive data had been exfiltrated. A third-party eDiscovery vendor was engaged to review the exposed and stolen data and confirmed that up to 6.5 million individuals were affected. The ransomware group also accessed and exfiltrated the business data of certain customers. The stolen data included names, mailing addresses, phone numbers, email addresses, birth dates, Social Security numbers, driver’s license numbers/state ID numbers, usernames, passwords, financial and customer account numbers, policy numbers, salaries, personal medical information, and other identification numbers such as tribal and military ID numbers. Infosys McCamish Systems had previously informed state attorneys general that the breach affected approximately 57,000 individuals. In June 2024, the breach notices were updated to state that 6.08 million individuals had been affected.
As is now common following data breaches, multiple class action lawsuits were filed in response to the data breach. The Infosys McCamish Systems data breach lawsuits allege negligence for failing to properly secure and safeguard the sensitive information of its clients’ customers. As a result of the Infosys McCamish data breach, the plaintiffs and class members claim they have suffered concrete injuries including invasion of privacy, lost time and opportunity costs while mitigating the consequences of the data breach, loss of benefit of the bargain, out-of-pocket losses, and increased risk of identity theft, fraud, and impersonation scams. The Infosys McCamish lawsuit also asserted claims of negligence per se, breach of third-party beneficiary contract, and unjust enrichment.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Further, Infosys McCamish Systems was alleged to have delayed issuing notifications about the data breach, and when the notification letters were sent, they did not include sufficient information about the data breach, which diminished the ability of class members to mitigate the harms caused by the data breach. Infosys McCamish Systems denied and continues to deny the claims in the lawsuit and maintains there was no wrongdoing; however, a settlement was agreed to resolve the lawsuit to avoid further litigation costs and the risks and uncertainty associated with continuing the litigation.
In a regulatory filing on March 14, 2025, Infosys McCamish confirmed that a settlement has been agreed in principle to resolve all claims and allegations made in six class action lawsuits, with the proposed agreement settling all pending class action lawsuits. The details of the settlement are subject to confirmation and due diligence by the plaintiffs, and preliminary and final approval from the courts.
