Active breach tracker Atlanta, Georgia Disclosed February 28, 2025

Southeast Series of Lockton Companies Data Breach 2025: 1.12M Affected · Hacking at Network Server · $9.9M Settlement Approved

Southeast Series of Lockton Companies, LLC filed a HIPAA breach report with HHS OCR on February 28, 2025, disclosing a November 20, 2024 hacking incident that exposed protected health information of 1,124,727 employer-plan members. A $9.9 million class-action settlement was reached in 2026; monitoring codes became available in May 2026. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 20, 2024

Unauthorized party accessed a single Lockton employee account and computer; files were copied within hours.

Nov 20, 2024

Lockton detected the intrusion the same day and contained the compromised account.

Feb 28, 2025

Lockton submitted a HIPAA breach report to HHS OCR (initially listing 1,706 affected; later revised to 1,124,727).

Mar 20, 2025

Individual notification letters mailed to affected plan members with 24 months of complimentary credit monitoring.

Mar 31, 2025

Federman & Sherwood announces class-action investigation; additional firms follow within days.

Feb 10, 2026

$9.9 million class-action settlement announced in Beasley v. Southeast Series of Lockton Companies, LLC, et al. (Case No. 2516-CV36137, Circuit Court of Jackson County, Missouri). Preliminary approval granted January 8, 2026.

Apr 7, 2026

Claims deadline. Affected individuals had until this date to submit claim forms for documented out-of-pocket losses (up to $5,000) or pro rata cash payments.

May 7, 2026

Final approval hearing held at Eastern Jackson County Courthouse, Independence, Missouri.

May 18, 2026

Settlement administrator (Kroll Settlement Administration LLC) made CyEx Financial Shield Complete activation codes available to all class members.

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number

03

Contact & insurance

Phishing + targeted scams

Full name Mailing address Phone number Email address Financial account information Medical information Health insurance information (including policy/ID numbers)

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC Federman & Sherwood Murphy Law Firm McShane & Brady LLC Schubert Law Firm (SLFLA) Kopelowitz Ostrow Ferguson Weiselberg Gilbert P.A. Milberg Coleman Bryson Phillips Grossman LLP
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Southeast Series of Lockton Companies, LLC, the regional arm of global insurance brokerage Lockton serving Southeastern employer clients, filed a HIPAA breach report with HHS OCR on February 28, 2025, disclosing a hacking incident that affected 1,124,727 people. (The Maine Attorney General portal — which received a concurrent state filing — lists the total as 1,154,625 nationwide, including 3,590 Maine residents; the discrepancy likely reflects a revised count during forensic review.) The intrusion occurred on November 20, 2024, when an unauthorized party accessed a single Lockton employee account and computer, copying files within a few hours before the account was contained. Lockton acts as a business associate to employer-sponsored health and benefit plans, so most affected individuals are employees and dependents of Lockton’s downstream client organizations rather than direct Lockton customers.

Timeline

  • November 20, 2024 — An unauthorized party accessed one Lockton employee account and one computer in Lockton’s environment. Files containing personal and protected health information were copied within hours. Lockton detected the intrusion the same day and shut down the compromised account.
  • November 2024 – February 2025 — Lockton conducted forensic review with outside counsel and cybersecurity experts to determine the contents of the copied files.
  • February 28, 2025 — Lockton filed a HIPAA breach notification with HHS OCR (initial portal entry listed 1,706 affected; the count was later revised upward to 1,124,727) and simultaneously notified state attorneys general in Massachusetts, Maine, South Carolina, Texas, and others.
  • March 20, 2025 — Lockton began mailing individual notification letters to affected plan members. Affected individuals were offered 24 months of complimentary credit monitoring.
  • March 31 – April 2, 2025 — Federman & Sherwood and Murphy Law Firm publicly announced class-action investigations; additional firms followed within days.
  • January 8, 2026 — The Circuit Court of Jackson County, Missouri granted preliminary approval of the $9.9 million settlement in Beasley v. Southeast Series of Lockton Companies, LLC, et al. (Case No. 2516-CV36137).
  • February 10, 2026 — Settlement terms publicly announced. Claims deadline set for April 7, 2026; final approval hearing scheduled for May 7, 2026.
  • April 7, 2026 — Claims deadline passed. Class members had until this date to submit claim forms for documented out-of-pocket losses or pro rata cash payments.
  • May 7, 2026 — Final approval hearing held at Eastern Jackson County Courthouse, Independence, Missouri.
  • May 18, 2026 — Settlement administrator Kroll Settlement Administration LLC made CyEx Financial Shield Complete activation codes available to all class members. Codes were distributed via postcard and email to eligible class members.

What was exposed

Based on Lockton’s notification letters and state AG filings, the categories of information involved varied by individual but included:

  • Full name, mailing address, phone number, email address
  • Date of birth
  • Social Security number
  • Driver’s license number
  • Financial account information
  • Medical information
  • Health insurance information, including policy and member ID numbers

Because the data was tied to employer-sponsored benefit plans Lockton brokers, the population skews heavily toward employees and dependents of Lockton’s downstream client employers. The combination of SSN plus health-plan identifiers makes this dataset particularly attractive for identity theft and medical-benefit fraud.

Who is notifying you

Lockton, as a HIPAA business associate, mailed the individual notice letters directly. If you are affected, the envelope will reference Southeast Series of Lockton Companies, LLC and may also identify the employer or benefit plan whose data was involved. You may additionally receive a separate notification from your employer or plan administrator (the covered entity) about the same event. Both letters describe the same incident.

If you have not received a letter but believe you were on an employer plan brokered by Lockton in 2024, your employer’s HR or benefits team can confirm whether your records were in the affected files.

Class-action and regulatory posture

The breach drew an unusually fast wave of plaintiff-firm activity. Roughly 11 putative class actions were filed in 2025, alleging Lockton failed to implement reasonable security controls (including MFA and access segmentation) on the single employee account that was compromised. The cases were consolidated and settled in early 2026 for $9.9 million without admission of liability:

  • $3.0 million earmarked for documented out-of-pocket losses, capped at $5,000 per claimant.
  • $5.9 million common fund covering pro rata cash payments, attorneys’ fees, administration costs, and a one-year CyEx Financial Shield Complete identity-protection membership for all class members.

The settlement received preliminary approval on January 8, 2026 (Case No. 2516-CV36137, Circuit Court of Jackson County, Missouri). The claims deadline was April 7, 2026. The final approval hearing was held on May 7, 2026 at the Eastern Jackson County Courthouse. As of May 18, 2026, settlement administrator Kroll Settlement Administration LLC began distributing CyEx Financial Shield Complete activation codes to class members via postcard and email.

State attorneys general in Texas, Massachusetts, Maine, South Carolina, and others received breach notices. The Maine AG portal confirmed 3,590 Maine residents were affected. No separate AG enforcement actions have been announced. The HHS OCR investigation remained on the public portal as of the settlement.

Plaintiff firms and class counsel active in the litigation included Strauss Borrelli PLLC, Federman & Sherwood, Murphy Law Firm, McShane & Brady LLC, Kopelowitz Ostrow Ferguson Weiselberg Gilbert P.A., Milberg Coleman Bryson Phillips Grossman LLP, and the Schubert Law Firm (SLFLA).

What to do

  • Activate your CyEx Financial Shield Complete monitoring. The claims deadline passed on April 7, 2026, but all class members remain automatically entitled to one year of CyEx monitoring. Activation codes were mailed by postcard and emailed starting May 18, 2026. Check TheLocktonDataSettlement.com or call (833) 754-7264 for your code if you have not received it.
  • Freeze your credit at Equifax, Experian, and TransUnion. It is free and is the single highest-leverage step against new-account fraud. The SSN plus health-plan identifier combination exposed here is particularly useful to identity thieves for opening new credit lines and committing medical-benefit fraud.
  • File IRS Form 14039 if you have not already done so. The exposure of Social Security numbers creates direct tax-refund fraud risk for multiple filing seasons.
  • Watch for medical-benefit fraud, not just credit fraud. Review explanation-of-benefits statements from your health plan for services you did not receive, and request a copy of your medical-benefit history from your insurer at least once over the next 24 months.
  • Confirm with your employer’s HR or benefits team whether your plan was among those Lockton brokered in 2024 if you are unsure why you received a notice.
  • Stop the ongoing flow of your health insurance and benefits data. HealthConsent files HIPAA restriction requests so the employer-plan information exposed in this breach is not continuously re-shared across insurance networks and downstream benefit administrators.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.