Southeast Series of Lockton Companies to Pay $9.9 Million to Settle Data Breach Litigation
Southeast Series of Lockton Companies, LLC, a provider of insurance services, has agreed to pay up to $9,900,000 to settle a class action lawsuit stemming from a major data breach in November 2024.
While many cyberattacks involve broad access being gained to computer networks, in this case a hacker accessed a single account and computer within its environment; however, despite the access being limited, the hacker was able to access files containing the protected health information of 1,124,727 individuals, including names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, and financial information. The affected individuals were notified about the data breach in March 2025 and were offered complimentary credit monitoring services for 24 months.
Multiple class action lawsuits were filed in response to the data breach, which were consolidated into a single complaint – Penny Beasley, et al. v. Southeast Series of Lockton Companies, LLC, et al. – in the Circuit Court of Jackson County, Missouri. The defendants maintain there was no wrongdoing and no laws were violated; however, they determined that a settlement was the best outcome to avoid the cost, time, distraction, and burden of continuing with the litigation. The plaintiffs and class counsel believe the settlement is fair and in the best interests of all class members.
Under the terms of the settlement, the defendants will pay up to $9,900,000 to resolve the lawsuit, of which $3,000,000 will be allocated to cover claims for reimbursement of losses due to the data breach, and $5,900,000 will be paid into a common settlement fund. Claims may be submitted for up to $5,000 per class member as reimbursement for documented, unreimbursed losses due to the data breach. If the total claims exceed $3,000,000, they will be paid pro rata. The common settlement fund will be used to pay attorneys’ fees and expenses, settlement administration and notification costs, service awards for the class representatives, financial data monitoring, and cash payments for the class members.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
All class members are entitled to claim a one-year membership to CyEx Financial Shield Complete – a financial data monitoring service. The cash payments will be paid pro rata from the remaining funds in the common settlement fund after costs have been deducted. The deadline for objection, opting out, and submitting a claim is April 7, 2026. The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for May 7, 2026.
April 23, 2025: Southeast Series of Lockton Companies Facing Multiple Lawsuits over 1M-Record Breach
Southeast Series of Lockton Companies (Lockton) in Kansas City, Missouri, is facing multiple lawsuits over a data breach first reported to OCR as affecting 1,706 individuals, but was later found to have affected more than 1 million individuals.
Lockton is an insurance brokerage firm that provides insurance and employee benefit services in several industry sectors, including aerospace, real estate, banking, energy, education, retail, and healthcare. On February 28, 2025, Lockton filed a breach report with the HHS’ Office for Civil Rights about a hacking incident involving a network server. State Attorneys General were also informed about the breach, and individual notification letters have been mailed to the affected individuals. The March 20, 2025, breach notification letters state that “an unauthorized party accessed a single individual account and computer within the Lockton environment and obtained certain files on November 20, 2024.” While the account and computer were only compromised for a few hours, sensitive data was copied.
The breached information includes names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, and financial information. The affected individuals were offered 24 months of complimentary credit monitoring and identity theft protection services. Since filing the breach report with OCR, the total number of affected individuals has increased from 1,706 to 1,025,956, making it the second-largest healthcare data breach to be reported by a HIPAA-regulated entity so far in 2025.
Several law firms have opened investigations, and at least 11 class action lawsuits have been proposed alleging Lockton failed to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to sensitive data, and that the inadequate security was exploited by cybercriminals to access its network and steal sensitive data. The lawsuits claim the lack of cybersecurity measures amounts to negligence. The lawsuits seek a jury trial, compensatory and punitive damages, attorneys’ fees, and legal costs and expenses.
