Class Action Says Mercyhurst University Failed to Prevent Months-Long 2022 Data Breach
Boje v. Mercyhurst University
Filed: March 2, 2023 ◆§ 1:23-cv-00046
Mercyhurst University faces a class action that alleges a months-long data breach last year was caused by the private Pennsylvania school’s failure to implement adequate cybersecurity measures.
Mercyhurst University faces a proposed class action that alleges a months-long data breach last year was caused by the private Pennsylvania school’s failure to implement adequate cybersecurity measures.
Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.
The 31-page case says that LockBit, a well-known cybercriminal group, infiltrated the Catholic university’s computer networks between January 16 and May 15, 2022, exposing the names, Social Security numbers and financial account details of “at least thousands” of employees and current and former students. The suit claims Mercyhurst University paid a ransom to prevent LockBit from publishing the stolen information on May 22 of last year and then waited until November 8 to notify victims of the incident.
However, the complaint contends that Mercyhurst University’s notice of the incident was deficient in that it “obfuscated the nature of the breach and the threat it posed,” and omitted details about how many people were impacted, how the incident occurred and why it took over a year to inform affected individuals that their information had been compromised.
Although Mercyhurst University offers dedicated undergraduate and graduate cybersecurity programs, and has even presented at a Department of Defense event discussing cybersecurity attacks on key infrastructure, the 2022 data breach stemmed from the school’s failure to properly implement—or train employees on—up-to-date data security protocols, the filing alleges.
According to the case, Mercyhurst University has long recognized its legal duty to protect consumers’ sensitive data, but only after the incident did the institution promise affected individuals that it would “implement additional safeguards and review our policies and procedures relating to data privacy and security.”
Mercyhurst University data breach victims face “severe” ramifications as they deal with a “significant risk of continued identity theft” and other fraudulent uses of their personal information, the filing argues. The complaint also relays that preventing and recovering from the unauthorized use of financial or personal information can often come with a hefty, out-of-pocket price tag.
The lawsuit seeks to cover anyone in the United States whose personal information was compromised in the data breach disclosed by Mercyhurst University in November 2022.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.
Hair Relaxer Lawsuits
Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.
Read more here: Hair Relaxer Cancer Lawsuits
How Do I Join a Class Action Lawsuit?
Did you know there's usually nothing you need to do to join, sign up for, or add your name to new class action lawsuits when they're initially filed?
Read more here: How Do I Join a Class Action Lawsuit?
Stay Current
Sign Up For
Our Newsletter
New cases and investigations, settlement deadlines, and news straight to your inbox.
Before commenting, please review our comment policy.