Onix Group to Blame for March 2023 Data Breach, Class Action Alleges

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action claims real estate investment company Onix Group, LLC failed to protect the private information of 320,000 individuals during a March 2023 cyberattack.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

According to the 56-page lawsuit, an investigation following a March 27 ransomware attack on the company’s internal computer network revealed that, between March 20 and 27, an unauthorized third party had infiltrated the system, corrupted parts of the network and stolen certain data maintained on behalf of Onix’s employees, affiliates and clients. The suit relays that the records compromised in the breach may have included individuals’ names, Social Security numbers, dates of birth and clinical information. The compromised files also contained human resources information and may have exposed some individuals’ direct deposit and health plan enrollment information, the complaint says.

The Pennsylvania-based real estate development firm, which also provides business management and consulting services, collects and stores personal data on behalf of its healthcare and hospitality clients, including Addiction Recovery Systems, Cadia Healthcare, Physicians Mobile X-Ray and Onix Hospitality Group, the case explains.

However, despite its legal obligation to safeguard the information entrusted to it, Onix Group allegedly failed to implement adequate cybersecurity practices to protect the data, which it stored in a “vulnerable” and “dangerous condition” in its network, the complaint claims.

What’s more, the company delayed notifying victims of the breach until May 26 of this year, months after the incident was purportedly discovered, the filing contends.

As the lawsuit tells it, Onix Group has “done little” in the way of providing relief for impacted individuals. The suit argues that its offer to victims of 12 months of credit monitoring services is “wholly inadequate” in the face of the lifelong risks of identity theft and fraud that those affected now suffer.

The plaintiff, a Delaware resident and patient of one of the defendant’s client businesses, was notified by Onix Group on May 26 that his private, highly sensitive information had been compromised in the breach, the case says.

“Even with the best response,” the complaint shares, “the harm caused to [the plaintiff] cannot be undone.”

The lawsuit looks to represent anyone whose personal information was actually or potentially accessed or acquired during the Onix Group data breach.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.