Skip to content

Hackers stole private information of more than 50,000 clients from a Philly-based law firm, lawsuits say

The suit accuses Blank Rome of failing to adequately protect sensitive client information, including Social Security numbers and medical records.

Closeup of a gavel in a court room.
Closeup of a gavel in a court room.Read moreGetty Images

Cybercriminals duped a Blank Rome attorney into sharing the personal information of 57,554 former and current clients, two federal lawsuits filed Monday say.

The firm, which is headquartered in Philadelphia and has 15 other offices nationwide, notified impacted clients a month after the incident, according to the complaints.

The two nearly identical proposed class-action lawsuits, filed in the Eastern District of Pennsylvania by former Blank Rome clients from California, accuse the firm of negligence, breach of contract, and violation of consumer protection laws, among other claims.

Blank Rome failed to use industry standards for cybersecurity and to comply with safeguards mandated by a federal medical privacy law, according to the complaints. It also didn’t appropriately train staff to identify these types of cyber schemes, the suits said.

The lawsuits asks a judge to certify the class action on behalf of all people impacted by the breach, award them damages, and order action to ensure their identities are protected.

“The exposure of one’s Private Information to cybercriminals is a bell that cannot be unrung,” the suits say. “Before this data breach, its current, former, and prospective clients’ Private Information was exactly that — private. Not anymore."

The incident was limited to one attorney and the firm’s network was never breached, a Blank Rome spokesperson said.

“We are committed to protecting our clients’ information and maintaining the trust they place in us,” the firm’s statement said. “We believe the lawsuit has no merit and will aggressively defend against it.”

The attorney who filed the two lawsuits did not respond to a request for comment.

Class-action lawsuits following cybersecurity breaches have become increasingly common. Earlier this year, Comcast agreed to pay $117.5 million to settle two dozen suits over a 2023 data breach, and the University of Pennsylvania was sued multiple times over an October breach that impacted fewer than 10 people.

They are also lucrative for class attorneys who can pocket as much as a third of the settlement’s amount.

The Blank Rome data breach took place on May 21 after an “unauthorized third party” posing as a member of the firm’s IT department instructed a Blank Rome attorney to upload files to an external Google Drive, according to a notice of breach attached to the complaint.

Clients began receiving notice on June 26, the suits say.

The firm identified the breach within two hours, deleted all the files on the drive, and opened an investigation, the notice said. Blank Rome also notified law enforcement.

The notice was sent to clients whose information, which included names and Social Security numbers, was stolen. Clients’ addresses, dates of birth, driver’s license numbers, passport numbers, and medical and health insurance information were also potentially obtained by the hackers, the notice said.

Blank Rome provided complimentary credit monitoring to impacted clients, the notices said, and has taken internal steps “mitigating similar risk,” including by working with cybersecurity professionals.

“We are notifying you of this incident and want to assure you that we take it seriously,” the firm’s notice said.