Certified public accountancy company Legacy Professionals based in Illinois notified about 217,000 people concerning a security incident and data theft in April 2024. The company discovered suspicious activity in its computer system at the end of April and launched a forensic investigation to determine the nature and extent of the incident. As per the investigation, unauthorized access to its system was confirmed, although client systems were not impacted. The investigation did not find any proof of data theft.
Legacy Professionals found out in November 2024 that an unauthorized actor extracted some files from its system. The accountancy firm started an extensive analysis of the files and involved data review experts to help with the analysis. That review process was finished in February 2025 confirming that the stolen information contained worker benefit plan details like names, driver’s license/state ID numbers, Social Security numbers, medical treatment data, and medical insurance details. Legacy Professionals mentioned it took steps to improve data security to avoid the same data breaches later on. Affected individuals received personal notification letters at the end of February. Legacy Professionals submitted the breach report to the HHS’ Office for Civil Rights indicating that the protected health information (PHI) of 216,752 people was impacted. It appears that no credit monitoring and identity theft protection services were provided.
Legacy Professionals is facing multiple class action lawsuits because of the data breach. One lawsuit was registered in the U.S. District Court for the Northern District of Illinois Eastern Division by plaintiff Greg Johnson and likewise situated persons. The lawsuit claimed that Legacy Professionals was negligent by not implementing proper safety measures to secure the data saved on its system and that the accountancy firm did not carry out suitable actions after the data breach by not sending prompt notifications, as mandated by the HIPAA Breach Notification Law. This indicates a lack of HIPAA training or awareness of it by Legacy Professionals.
Based on the lawsuit, Legacy Professionals wasn’t aware of the stolen data leakage on the dark web and merely found out about the data exposure in November 2024. The impacted clients were informed only on December 18, 2024, and personal notification letters were only mailed in February, which is 10 months after the occurrence of the incident. The lawsuit states the late notification led to additional troubles for the plaintiffs. Besides negligence, the Legacy Professionals class action data breach lawsuits allege unjust enrichment, negligence per se, breach of implied contract, and breach of fiduciary duty, and want financial compensation and a jury trial.
