Brightstar Global Solutions Corporation Data Breach 2025: 103,879 Affected (Including Health Data) · Now Brightstar Lottery PLC · RI Health Plan
Brightstar Global Solutions Corporation, the Rhode Island lottery technology operator formerly part of IGT, filed an HHS OCR breach on October 3, 2025 affecting 103,879 individuals. Unauthorized access was discovered November 17, 2024 and the data review completed August 21, 2025 — an eleven-month notification gap. Exposed data per state AG notices includes names, dates of birth, government IDs, Social Security numbers, financial account information, and health data. Kroll identity monitoring offered. Multiple plaintiffs' firms investigating. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 17, 2024
Unauthorized third party access to Brightstar/IGT internal corporate systems discovered
Nov 17, 2024
Same-day detection per company notice
Aug 21, 2025
Data review completed identifying impacted individuals and data elements
Oct 3, 2025
Notification letters mailed; HHS OCR filing; state AG filings (CA, ME, MA, MT, OR)
Oct 3, 2025
HHS OCR portal entry — 103,879 affected, Hacking/IT Incident, Network Server
Oct 6, 2025
Vermont Attorney General notice filed; multiple plaintiffs' firms announce investigations same week (Strauss Borrelli, Lynch Carpenter, Murphy Law Firm, Edelson Lechtzin, Schubert Jonckheer & Kolbe, Cafferty Clobes, Federman & Sherwood, Pittman Dutton)
Nov 17, 2024
Unauthorized third party access to Brightstar/IGT internal corporate systems discovered
Nov 17, 2024
Same-day detection per company notice
Aug 21, 2025
Data review completed identifying impacted individuals and data elements
Oct 3, 2025
Notification letters mailed; HHS OCR filing; state AG filings (CA, ME, MA, MT, OR)
Oct 3, 2025
HHS OCR portal entry — 103,879 affected, Hacking/IT Incident, Network Server
Oct 6, 2025
Vermont Attorney General notice filed; multiple plaintiffs' firms announce investigations same week (Strauss Borrelli, Lynch Carpenter, Murphy Law Firm, Edelson Lechtzin, Schubert Jonckheer & Kolbe, Cafferty Clobes, Federman & Sherwood, Pittman Dutton)
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Brightstar Global Solutions Corporation, a Rhode Island lottery-technology operator that until recently was part of International Game Technology (IGT), filed an HHS OCR breach on October 3, 2025 reporting 103,879 affected individuals. The OCR portal classifies the entity as a Health Plan and the incident as a Hacking/IT Incident at Network Server — consistent with employee, retiree, or participant health-plan records being among the data sets stored on the compromised internal systems. Unauthorized access was actually discovered eleven months earlier, on November 17, 2024, and the data review did not complete until August 21, 2025.
Timeline
- November 17, 2024 — Brightstar and IGT discover that an unauthorized third party accessed certain internal corporate systems.
- August 21, 2025 — Forensic review of impacted data completes, identifying affected individuals and data elements.
- October 3, 2025 — Notification letters begin mailing. Brightstar files with HHS OCR (103,879 affected) and with the Attorneys General of California, Maine, Massachusetts, Montana, Oregon, Washington, New Hampshire, Iowa, Nebraska, South Carolina, and Texas. Rhode Island AG receives notice the same week; the Rhode Island count is 6,354 residents. Other confirmed resident counts: Washington (1,796), Massachusetts (1,483), Montana (208), Maine (116).
- October 6, 2025 — Vermont Attorney General receives notice. Multiple plaintiffs’ firms announce investigations the same week: Strauss Borrelli, Lynch Carpenter, Murphy Law Firm, Edelson Lechtzin, Schubert Jonckheer & Kolbe, Cafferty Clobes Meriwether & Sprengel, Federman & Sherwood, Pittman Dutton Hellums Bradley & Mann, and Almeida Law Group.
The roughly eleven-month gap between discovery and individual notification is a recurring complaint in the plaintiffs’ bar’s public investigation notices and is likely to feature in any class complaint.
The company has since rebranded: Brightstar Global Solutions Corporation is now publicly known as Brightstar Lottery PLC, a foreign private issuer traded on U.S. markets and registered with the SEC (Commission File No. 001-36906, formerly traded under International Game Technology PLC). The July 2025 corporate split separated Brightstar Lottery (lottery technology) from IGT (casino gaming and FinTech).
What was exposed
Per the state Attorney General notice letters, the data elements involved may include:
- Full name and contact information
- Date of birth
- Government identification documents or numbers, such as driver’s license
- Social Security number or other tax identifier
- Financial account information
- Health data
- Other information collected in connection with the individual’s relationship with Brightstar or a lottery or gaming venue supported by Brightstar
The presence of health data in the disclosed categories — combined with the OCR filing under the Health Plan classification — is what places this incident on this page. The most likely health-data subset is employee or retiree group-health-plan information rather than patient records.
What the plan is offering
Brightstar engaged Kroll to provide identity-monitoring services at no cost for 24 months, including credit monitoring, fraud consultation, and identity-theft restoration. Affected individuals can enroll at https://enroll.krollmonitoring.com using the enrollment code printed in their individual notification letter. The enrollment deadline is stated in each individual letter. A dedicated assistance line is available at (866) 819-2404, Monday through Friday.
Class-action posture
As of early June 2026, no consolidated class-action complaint has been confirmed on the public dockets in our review, but at least nine plaintiffs’ firms have publicly opened investigations within days of the October 3 notice: Strauss Borrelli PLLC, Lynch Carpenter LLP, Murphy Law Firm, Edelson Lechtzin LLP, Schubert Jonckheer & Kolbe LLP, Cafferty Clobes Meriwether & Sprengel LLP, Federman & Sherwood, Pittman Dutton Hellums Bradley & Mann P.C., and Almeida Law Group. ClassAction.org has noted that its investigation into this matter is now complete — suggesting attorneys coordinating through that aggregator have moved toward a filing decision. The recurring themes in firm announcements are (1) the eleven-month delay between discovery and notification, (2) the sensitivity of the data set (SSN plus financial plus health), and (3) the size of the affected population. District of Rhode Island and possibly the District of Nevada (IGT’s headquarters at the time of the incident) are the venues to watch for any consolidated complaint.
What to do
- Watch your mail for a notification letter from Brightstar Global Solutions Corporation. The letter carries your personal enrollment code for Kroll identity monitoring.
- Enroll in the Kroll monitoring before the deadline in your letter. Twenty-four months of credit monitoring plus identity-theft restoration is materially better than nothing, especially given that SSN was in the data set.
- Place free credit freezes at Equifax, Experian, and TransUnion. This is the single highest-leverage step against new-account fraud and it stays in place after the Kroll coverage expires.
- Pull free credit reports at
annualcreditreport.comand review for unfamiliar accounts. - If you are a Rhode Island lottery retailer, vendor, employee, or contractor of Brightstar/IGT and you have not received a letter by mid-2026, contact the Brightstar assistance line at (866) 819-2404 to confirm whether you were in scope.
- Decide on class-action participation when a complaint is filed and a class notice issues. Until then, retaining your notification letter and the postmarked envelope preserves your standing.
- Stop the ongoing flow of your health plan data. HealthConsent files HIPAA restriction requests so the health and benefits data exposed in this breach is not continuously re-shared across insurance networks and third-party data brokers.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (103,879 affected, Hacking/IT Incident at Network Server).
- Massachusetts AG — Brightstar consumer notice (2025-1706) — the actual notification letter text and Kroll enrollment instructions.
- Vermont Attorney General — Brightstar data breach notice — Oct 3, 2025 consumer notice filing.
- Rhode Island Attorney General Data Breach Notifications — state-level filings index.
- Turnto10 (WJAR) — Rhode Island count of 6,354 affected residents and IGT relationship context.
- Boston Globe — regional news coverage.
- ClassAction.org — 103,879 affected count, investigation status.
- Strauss Borrelli PLLC — plaintiff-firm investigation announcement.
- PR Newswire (Schubert Jonckheer & Kolbe) — privacy alert.
- Lynch Carpenter LLP (GlobeNewswire) — investigation announcement.
- Federman & Sherwood — investigation announcement, confirmed Kroll 24-month monitoring offer.
- Pittman Dutton Hellums Bradley & Mann P.C. — investigation announcement confirming data elements including health and medical data.
- ClaimDepot — state-by-state resident counts; list of 14 AG filings (CA, IA, ME, MA OCABR, MT, NE, NH, OR, RI, SC, TX, VT, WA, HHS).
- Notice of Data Breach — full letter PDF (ClassAction.org mirror) — verbatim notification letter text confirming data categories and Kroll enrollment instructions.
- SEC Form 6-K — Brightstar Lottery PLC (July 2025) — confirms legal entity name change to Brightstar Lottery PLC and corporate separation from IGT post-July 2025 spin-off.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal (primary federal record)
- Massachusetts AG Brightstar Global Solutions consumer notice (2025-1706)
- Vermont Attorney General — Brightstar Global Solutions data breach notice (Oct 3, 2025)
- Rhode Island Attorney General Data Breach Notifications index
- Turnto10 (WJAR) — Brightstar data breach impacts 6,354 Rhode Islanders
- Boston Globe — Lottery tech firm hit by data breach affecting thousands in New England
- ClassAction.org — IGT, Brightstar Data Breach Impacts 103K
- Strauss Borrelli PLLC investigation announcement
- PR Newswire — Schubert Jonckheer & Kolbe privacy alert
- Lynch Carpenter LLP investigation announcement (GlobeNewswire)
- Federman & Sherwood — IGT Group and Brightstar Lottery Group data breach investigation
- Pittman Dutton Hellums Bradley & Mann — Brightstar Lottery Group data breach
- ClaimDepot — Brightstar Lottery data breach summary (AG filings, state resident counts)
- ClassAction.org — Brightstar notice letter PDF (full notification text)
- SEC Form 6-K — Brightstar Lottery PLC (formerly Brightstar Global Solutions, Commission File No. 001-36906)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.