An unnamed hospital client of Jackson Lewis experienced a significant data breach where employee negligence (clicking on a phishing email) led to unauthorized access to sensitive systems. The breach triggered multiple class-action lawsuits, including one filed in a Pennsylvania state court after the plaintiff exploited a procedural loophole by serving the hospital directly instead of through formal channels. The exposed data likely included employee and patient records, with potential compromise of personal, financial, or health information (PHI). The hospital faced seven federal lawsuits and one state lawsuit, with plaintiffs alleging negligence, breach of implied contract, and statutory violations (e.g., California’s data protection laws). The case highlights vulnerabilities in incident response coordination, as the hospital failed to track the state court filing, leading to a default risk. Settlement negotiations favored the last-filed plaintiff due to jurisdictional leverage, increasing legal costs and reputational harm. The breach underscores risks tied to insufficient employee training, delayed forensic analysis, and broad notification strategies inflating litigation exposure (e.g., sending notices to 500,000 instead of the actual 100,000 affected).

The California Office of the Attorney General reported a data breach involving Jackson Lewis P.C. on August 31, 2023. The incident involved the theft of two hard drives containing personal information, which was discovered on January 7, 2022. The number of affected individuals is unknown.