Lawson Products Facing Class Action Over Data Breach Affecting Nearly 30K Current, Former Employees

New to ClassAction.org? Read our Newswire Disclaimer

Lawson Products, Inc. faces a proposed class action over a 2022 data breach that reportedly exposed the personal and health information of at least 29,639 current and former employees.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 34-page case claims that Lawson Products, an industrial distributor of maintenance and repair supplies, fell victim to a “phishing and malware” attack on February 2 last year due to its failure adequately train employees on data security or implement reasonable cybersecurity measures. The complaint says that Lawson Products did not realize that it had been hacked until February 8, indicating that the company had no effective means to prevent, detect, stop or mitigate a breach of its systems.

As the suit tells it, it is unknown how long the perpetrators had access to Lawson Products’ network before the cyberattack was discovered.

According to the complaint, Lawson Products then waited until July 11, 2022 to notify current and former employees that cybercriminals had stolen swaths of sensitive data stored on its computer network, including their names; home addresses; Social Security, driver’s license, passport and state ID card numbers; credit card and debit card numbers; medical and health insurance information; financial account numbers and corresponding security codes, access codes, passwords and PINs.

The filing stresses that affected individuals now face an “imminent and impending” risk of fraud and identity theft. Although Lawson Products has offered some victims credit monitoring and identity-related services, the suit argues that these measures are “wholly insufficient” since victims’ data may be traded on the black market for years to come.

Per the lawsuit, Lawson Products’ delayed disclosure of the breach has deprived current and former employees of the opportunity mitigate the risks of fraud and identity theft in a timely manner.

The plaintiff, an Indiana resident who worked for Lawson Products from 2013 to 2019, says an unauthorized actor accessed his bank account and stole $220 due to the exposure of his private information during the breach. The man also claims that his student loan account was fraudulently accessed after the cyberattack, causing his credit score to drop.

Ultimately, the filing contends that Lawson Products had a legal duty to protect employees’ data from unauthorized access and disclosure. Specifically, Lawson Products failed to comply with the Health Insurance Portability and Accountability Act (HIPAA), which requires companies to employ necessary technical safeguards to ensure that consumers’ protected health information remains confidential.

The lawsuit looks to represent anyone in the United States whose personally identifiable information or protected health information was compromised in the data breach discovered by Lawson Products, Inc. in February 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.