3rd Party Risk Management
,
Data Breach Notification
,
Data Security
CPA Says Clients’ Employee Benefit Plan Information Compromised in 2024 Incident
A certified public accounting firm that provides services to labor unions, non-profits and other organizations for employee benefit plans is notifying nearly 217,000 people of a 2024 hack. The firm is already facing at least five proposed federal class action lawsuits related to the breach.
See Also: Top 10 Technical Predictions for 2025
Illinois-based Legacy Professionals LLP reported the incident to federal and state regulators on Feb. 28, 2025. The breach was just posted in recent days on the U.S. Department of Health Human Services’ Office for Civil Rights HIPAA Breach Reporting Tool website, which lists major health data breaches affecting 500 or more individuals. Legacy Professionals told HHS OCR that the hacking incident involved a network server and affected 216,752 individuals.
The incident did not involve any of its clients’ IT systems, Legacy Professionals said.
As of Monday, it appeared that Legacy Professionals is already facing at least five proposed federal class action lawsuits filed within the last 10 days.
The lawsuits – all seeking financial damages – make similar claims, including that Legacy Professionals was negligent in failing to protect plaintiffs’ and class members’ sensitive private information from cybercriminals. The lawsuits also claim Legacy Professional’s 10-month delayed breach notification to affected individuals “caused additional harm.”
“The breach occurred on April 2024 but Legacy did not notify the victims until Feb. 27, 2025,” alleged the proposed class action lawsuit filed against Legacy Professionals by plaintiff Matthew Abraham on behalf of himself and others similarly situated.
“Defendant offered no explanation or purpose for the delay. This delay violates HIPAA and other notification requirements and increased the injuries to plaintiff and class,” the lawsuit alleges. Under HIPAA, regulated covered entities and business associates must notify affected individuals of compromises involving their protected health information within 60 days of discovering the breach.
Legacy Professionals in a breach notice posted on its website said that in late April 2024, it learned of “potentially suspicious activity” related to some data stored on its computer network. The firm said it immediately took steps to secure its IT environment and investigate the nature and scope of the issue with the aid of a third-party cybersecurity specialist.
“After receiving additional information in November 2024, the investigation determined that certain files had been taken from Legacy servers by an unauthorized actor,” the notice said.
Legacy Professionals said it conducted a comprehensive review to identify the information and people affected by the breach.
“In early February 2025, the investigation confirmed that the information on our system at the time of the incident may have included information relating to individual’s name, Social Security number, driver’s license and state ID number, and medical treatment and health insurance information,” Legacy Professionals said. The compromised information varies by individual.
So far, Legacy Professionals said it has no evidence indicating that any of the compromised information has been used to commit identity theft or fraud. Affected individuals are being offered 24 months of credit and identity monitoring. “Although Legacy has always taken data security and privacy very seriously, we have implemented even more stringent access controls,” the firm said.
An attorney representing Legacy Professionals in its breach report did not immediately respond to Information Security Media Group’s request for additional details regarding the hacking incident and for comment on the multiple proposed class action lawsuits filed against the firm.
Major Business Associate Breaches
As of Monday, the HHS OCR website shows 124 major health data breaches posted so far this year, affecting more than 4.6 million people. Of those, business associates were reported as being involved in about 46% of the breaches – or 57 incidents affecting more than 1.5 million individuals. That’s about one-third of the total number of people affected so far this year by major health data breaches.
The Legacy Professionals hack as of Monday is the third-largest business associate breach posted on the HHS OCR website so far in 2025.
The largest 2025 business associate breach listed on the HHS OCR website as of Monday was reported in January by Medusind, a Florida-based revenue cycle management and billing services vendor. Medusind told federal regulators that its hacking incident discovered in December 2023 affected more than 694,000 individuals.
So far in 2025, the second-largest breach involving a business associate appearing on the HHS OCR website was reported by Pennsylvania-based Allegheny Health Network, which has 14 hospitals and more than 200 primary and specialty-care practices in more than 300 clinical locations and offices.
AHN reported in January that one of its vendors – IntraSystems, which hosts and manages some IT systems that support AHN’s subsidiary home medical equipment and home infusion companies – was hacked, affecting about 293,000 AHN patients (see: IT Services Vendor Hack Affects 293,000 AHN Patients).
In 2024, a total of 732 breaches affecting about 277 million people were reported to HHS OCR. Of those, 220 breaches affecting nearly 222 million individuals were reported as involving a business associate. The largest of all those breaches was the ransomware hacking incident reported by Change Healthcare – as business associate – affecting 190 million individuals.
Change Healthcare, the IT services unit of health insurer UnitedHealth Group, faces dozens of proposed federal class action lawsuits and regulatory investigations involving the February 2024 incident.