Another Day, Another 216,000 Social Security Numbers Stolen From an Accounting Firm

Posted on by Going Concern News Desk
terrible hacker stock photo

Absurd “hacker” stock photos will never not be funny to us. This doesn’t even make sense, why are they standing up??

We’ve written up several accounting firm data breaches in the past year or two, some of them involving a significant amount of personal information. The one we’re writing about today appears to be the biggest heist in recent memory based on the number of affected individuals.

Before we get into that, let’s quickly revisit posts just from 2024:

And a biggie in 2023 that hit firms we’ve actually heard of and care about:

Today’s data breach winner (loser?) is Legacy Professionals LLP of Illinois, a firm consisting of 19 partners and 135 professionals. According to a notice on their website, the firm became aware of suspicious activity on their network in late April 2024. From there:

We immediately took steps to secure our environment and launched an investigation to confirm the full nature and scope of the activity with the assistance of industry-leading cybersecurity specialists. At that time, we were advised that the investigation identified no evidence of data taken from our systems. After receiving additional information in November 2024, the investigation determined that certain files had been taken from Legacy servers by an unauthorized actor. Therefore, Legacy conducted a comprehensive and time-intensive review of the involved files, with the assistance of data review specialists, to identify what information was impacted and the individuals to whom the information relates. Now that the investigation is complete, we are contacting all potentially impacted individuals.

Impacted data includes names, social security numbers, driver’s license/state ID numbers, and medical treatment / health insurance information. Legacy was in possession of this data “in relation to the provision of accounting services performed for individuals, corporations, not-for-profit organizations, labor unions and their related employee benefit plans.”

The HIPAA Journal has some more information not included in the firm’s notification, namely that the breach was reported to the US Department Health and Human Services Office for Civil Rights and according to that report, involves the protected health information of 216,752 individuals.

And there’s this:

According to the lawsuit, Legacy Professionals was unaware that the stolen data had been published on the dark web and only discovered the data leak in November 2024. The affected clients were not notified until December 18, 2024, and individual notification letters were not mailed until February – 10 months after the data theft occurred. The lawsuit claims the delay in notification resulted in further harm being caused to the plaintiffs. In addition to negligence, the Legacy Professionals class action data breach lawsuits assert claims of negligence per se, breach of fiduciary duty, breach of implied contract, and unjust enrichment and seek a jury trial and financial damages.

The firm says they have no evidence the looted information has been used to commit identity theft or fraud at the time they issued the data breach notice. It doesn’t appear they’re offering free credit monitoring as most breached firms do. But they did provide info on how to get a free credit report from the major reporting agencies and promised to do better going forward. “Although Legacy has always taken data security and privacy very seriously, we have implemented even more stringent access controls,” the firm said.

“We encourage individuals to remain vigilant against incidents of identity theft and fraud by reviewing account statements, explanations of benefits, and monitoring credit reports for suspicious activity and to detect errors,” they added.

Related Posts