Illinois Accountancy Firm Sued Over 217,000-Record Data Breach
Legacy Professionals, an Illinois-based certified public accountancy firm, has notified almost 217,000 individuals about an April 2024 security incident involving data theft from its systems. Suspicious activity was identified within its computer network in late April, and a forensic investigation was launched to confirm the nature and scope of the activity. The investigation confirmed that there had been unauthorized access to its network, but client systems were unaffected. The investigation uncovered no evidence of data theft.
In November 2024, Legacy Professionals learned that certain files had been exfiltrated from its network by an unauthorized actor. Legacy Professionals initiated a comprehensive review of the files and engaged data review specialists to assist with the time-intensive review. That process was completed in February 2025 and confirmed that the stolen data included employee benefit plan information such as names, Social Security numbers, driver’s license/state ID numbers, medical treatment information, and health insurance information. Legacy Professionals said it has made further enhancements to data security to prevent similar breaches in the future. Individual notification letters were mailed to the affected individuals in late February, and the breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 216,752 individuals. Credit monitoring and identity theft protection services do not appear to have been made available.
Several class action lawsuits have already been filed against the accountancy firm over the data breach. One of those lawsuits was filed in the U.S. District Court for the Northern District of Illinois Eastern Division on behalf of plaintiff Greg Johnson and similarly situated individuals. The lawsuit claims Legacy Professionals was negligent by failing to implement reasonable and appropriate safeguards to protect the information stored on its network, and that the accountancy firm failed to take appropriate actions after the data breach by not issuing timely notifications, as required by the HIPAA Breach Notification Rule.
According to the lawsuit, Legacy Professionals was unaware that the stolen data had been published on the dark web and only discovered the data leak in November 2024. The affected clients were not notified until December 18, 2024, and individual notification letters were not mailed until February – 10 months after the data theft occurred. The lawsuit claims the delay in notification resulted in further harm being caused to the plaintiffs. In addition to negligence, the Legacy Professionals class action data breach lawsuits assert claims of negligence per se, breach of fiduciary duty, breach of implied contract, and unjust enrichment and seek a jury trial and financial damages.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
