Accounting Firm Alerts 217,000 Individuals of Health Data Breach

A notable breach involving a certified public accounting firm, Legacy Professionals LLP, has compromised data related to employee benefit plans for nearly 217,000 individuals. The Illinois-based firm provides services primarily to labor unions and non-profits and has prompted at least five federal class action lawsuits stemming from the incident, which occurred in 2024.

According to reports, Legacy Professionals notified federal regulators about the breach on February 28, 2025. The incident was recently listed on the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS OCR) HIPAA Breach Reporting Tool, revealing that the attack affected 216,752 individuals. Importantly, the firm clarified that its clients’ IT systems were not involved in the compromise.

Legal action initiated against Legacy Professionals claims negligence, asserting that the firm failed to safeguard sensitive private information against cyber threats. The lawsuits also allege that a 10-month delay in informing affected individuals exacerbated the damage, violating HIPAA regulations which mandate timely notifications following a breach.

According to court documents, the breach is reported to have begun in April 2024, yet affected individuals were not notified until February 27, 2025. This delay, as outlined in the lawsuits, purportedly lacks justification and may have worsened the plight of those impacted. The firms must notify individuals of breaches affecting protected health information within 60 days upon discovery, highlighting the critical nature of prompt communication in mitigating harm.

In an official statement posted on its website, Legacy Professionals mentioned that it identified “potentially suspicious activity” on its servers in late April 2024, leading to an immediate response to reinforce its cybersecurity posture. The investigation, conducted with a cybersecurity specialist, ultimately confirmed that unauthorized actors accessed and exfiltrated certain files.

By early February 2025, the investigation revealed that personal information—including names, Social Security numbers, and health insurance details—may have been compromised, varying per individual. Despite the severity of the breach, Legacy Professionals noted that no evidence currently indicates that this data has been misused for identity theft.

To address potential ramifications, the firm is offering affected individuals 24 months of credit and identity monitoring services and has heightened its security protocols. However, as of the latest reports, no representative from Legacy Professionals has commented on the ongoing litigation or detailed the specifics of the cybersecurity breach.

The incident at Legacy Professionals is among 124 significant health data breaches documented this year, impacting over 4.6 million individuals, with business associates accounting for approximately 46% of these breaches. This trend underscores the vulnerabilities present in third-party vendor relationships, which can expose clients to substantial risks in the event of a security incident.

The Legacy Professionals breach now stands as the third-largest business associate breach officially recorded in 2025, illustrating a worrying pattern for firms operating within this domain. As cybersecurity threats evolve, the importance of robust third-party risk management strategies becomes increasingly critical in protecting sensitive data.