The latest trends in 3rd Party Risk Management, Data Breach Notification, and Data Security are crucial for understanding the evolving landscape of cybersecurity threats.
CPA Firm Reports Employee Benefit Plan Information Compromised in 2024 Incident
In a significant cybersecurity breach, Legacy Professionals LLP, a certified public accounting firm servicing labor unions and non-profit organizations with employee benefit plans, has reported the compromise of sensitive client data impacting nearly 217,000 individuals. The incident, which occurred in 2024, has led to at least five proposed federal class action lawsuits alleging negligence on the part of the firm due to its delayed notification of the breach.
Legacy Professionals notified federal and state regulators about the breach on February 28, 2025, with the details of the incident recently listed on the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights HIPAA Breach Reporting Tool. The firm indicated that the breach involved a network server and affected 216,752 individuals, but stated that none of its clients’ IT systems were compromised.
The legal ramifications have already taken shape, with plaintiffs alleging that Legacy Professionals exhibited negligence by failing to protect sensitive information pertinent to class members. Furthermore, the lawsuits argue that the firm’s 10-month delay in notifying affected parties exacerbated the harm inflicted by the breach. The breach reportedly occurred in April 2024, yet legacy communication to affected individuals did not occur until February 27, 2025, which has prompted serious scrutiny under HIPAA regulations.
Legacy Professionals, in their breach notice, detailed that in late April 2024, the firm detected “potentially suspicious activity” within its network. Immediate steps were taken to secure the infrastructure and to investigate the scale and nature of the breach with the aid of third-party cybersecurity experts. Following a thorough investigation initiated in November 2024, the firm confirmed that certain files had been illicitly extracted by an unauthorized actor.
The compromised data is reported to have included personal identifiers, such as names, Social Security numbers, driver’s license details, health insurance information, and treatment records, although specifics varied among the individuals affected. While Legacy Professionals maintains that there is no current evidence of identity theft or fraud resulting from this breach, they are nevertheless providing affected clients with 24 months of credit and identity monitoring.
Legal representation for Legacy Professionals did not immediately respond to inquiries regarding the breach or the ongoing litigation, underscoring the complexity of the incident and potential implications for the firm moving forward.
The incident is a significant addition to the ongoing saga of major data breaches impacting healthcare and related sectors. To date, the HHS OCR has logged 124 significant health data breaches affecting more than 4.6 million individuals this year, with business associates linked to approximately 46% of these breaches.
This attack resonates with cybersecurity frameworks such as the MITRE ATT&CK Matrix, potentially indicating adversarial tactics across various stages, including initial access, persistence, and privilege escalation. The exploitation of vulnerabilities may have facilitated unauthorized access, highlighting the continuous threat landscape faced by organizations handling sensitive health data.
As the landscape of data breaches continues to evolve, it is imperative for businesses to remain vigilant and proactive in addressing cybersecurity risks. The Legacy Professionals case serves as a notable reminder of the necessity for robust risk management strategies and timely breach notification policies to mitigate adverse impacts for all stakeholders involved.
