Southeast Series of Lockton Companies Data Breach 2025: 1.12M Affected · Hacking at Network Server · $9.9M Settlement Approved
Southeast Series of Lockton Companies, LLC filed a HIPAA breach report with HHS OCR on February 28, 2025, disclosing a November 20, 2024 hacking incident that exposed protected health information of 1,124,727 employer-plan members. A $9.9 million class-action settlement was reached in 2026; monitoring codes became available in May 2026. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 20, 2024
Unauthorized party accessed a single Lockton employee account and computer; files were copied within hours.
Nov 20, 2024
Lockton detected the intrusion the same day and contained the compromised account.
Feb 28, 2025
Lockton submitted a HIPAA breach report to HHS OCR (initially listing 1,706 affected; later revised to 1,124,727).
Mar 20, 2025
Individual notification letters mailed to affected plan members with 24 months of complimentary credit monitoring.
Mar 31, 2025
Federman & Sherwood announces class-action investigation; additional firms follow within days.
Feb 10, 2026
$9.9 million class-action settlement announced in Beasley v. Southeast Series of Lockton Companies, LLC, et al. (Case No. 2516-CV36137, Circuit Court of Jackson County, Missouri). Preliminary approval granted January 8, 2026.
Apr 7, 2026
Claims deadline. Affected individuals had until this date to submit claim forms for documented out-of-pocket losses (up to $5,000) or pro rata cash payments.
May 7, 2026
Final approval hearing held at Eastern Jackson County Courthouse, Independence, Missouri.
May 18, 2026
Settlement administrator (Kroll Settlement Administration LLC) made CyEx Financial Shield Complete activation codes available to all class members.
Nov 20, 2024
Unauthorized party accessed a single Lockton employee account and computer; files were copied within hours.
Nov 20, 2024
Lockton detected the intrusion the same day and contained the compromised account.
Feb 28, 2025
Lockton submitted a HIPAA breach report to HHS OCR (initially listing 1,706 affected; later revised to 1,124,727).
Mar 20, 2025
Individual notification letters mailed to affected plan members with 24 months of complimentary credit monitoring.
Mar 31, 2025
Federman & Sherwood announces class-action investigation; additional firms follow within days.
Feb 10, 2026
$9.9 million class-action settlement announced in Beasley v. Southeast Series of Lockton Companies, LLC, et al. (Case No. 2516-CV36137, Circuit Court of Jackson County, Missouri). Preliminary approval granted January 8, 2026.
Apr 7, 2026
Claims deadline. Affected individuals had until this date to submit claim forms for documented out-of-pocket losses (up to $5,000) or pro rata cash payments.
May 7, 2026
Final approval hearing held at Eastern Jackson County Courthouse, Independence, Missouri.
May 18, 2026
Settlement administrator (Kroll Settlement Administration LLC) made CyEx Financial Shield Complete activation codes available to all class members.
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Southeast Series of Lockton Companies, LLC, the regional arm of global insurance brokerage Lockton serving Southeastern employer clients, filed a HIPAA breach report with HHS OCR on February 28, 2025, disclosing a hacking incident that affected 1,124,727 people. (The Maine Attorney General portal — which received a concurrent state filing — lists the total as 1,154,625 nationwide, including 3,590 Maine residents; the discrepancy likely reflects a revised count during forensic review.) The intrusion occurred on November 20, 2024, when an unauthorized party accessed a single Lockton employee account and computer, copying files within a few hours before the account was contained. Lockton acts as a business associate to employer-sponsored health and benefit plans, so most affected individuals are employees and dependents of Lockton’s downstream client organizations rather than direct Lockton customers.
Timeline
- November 20, 2024 — An unauthorized party accessed one Lockton employee account and one computer in Lockton’s environment. Files containing personal and protected health information were copied within hours. Lockton detected the intrusion the same day and shut down the compromised account.
- November 2024 – February 2025 — Lockton conducted forensic review with outside counsel and cybersecurity experts to determine the contents of the copied files.
- February 28, 2025 — Lockton filed a HIPAA breach notification with HHS OCR (initial portal entry listed 1,706 affected; the count was later revised upward to 1,124,727) and simultaneously notified state attorneys general in Massachusetts, Maine, South Carolina, Texas, and others.
- March 20, 2025 — Lockton began mailing individual notification letters to affected plan members. Affected individuals were offered 24 months of complimentary credit monitoring.
- March 31 – April 2, 2025 — Federman & Sherwood and Murphy Law Firm publicly announced class-action investigations; additional firms followed within days.
- January 8, 2026 — The Circuit Court of Jackson County, Missouri granted preliminary approval of the $9.9 million settlement in Beasley v. Southeast Series of Lockton Companies, LLC, et al. (Case No. 2516-CV36137).
- February 10, 2026 — Settlement terms publicly announced. Claims deadline set for April 7, 2026; final approval hearing scheduled for May 7, 2026.
- April 7, 2026 — Claims deadline passed. Class members had until this date to submit claim forms for documented out-of-pocket losses or pro rata cash payments.
- May 7, 2026 — Final approval hearing held at Eastern Jackson County Courthouse, Independence, Missouri.
- May 18, 2026 — Settlement administrator Kroll Settlement Administration LLC made CyEx Financial Shield Complete activation codes available to all class members. Codes were distributed via postcard and email to eligible class members.
What was exposed
Based on Lockton’s notification letters and state AG filings, the categories of information involved varied by individual but included:
- Full name, mailing address, phone number, email address
- Date of birth
- Social Security number
- Driver’s license number
- Financial account information
- Medical information
- Health insurance information, including policy and member ID numbers
Because the data was tied to employer-sponsored benefit plans Lockton brokers, the population skews heavily toward employees and dependents of Lockton’s downstream client employers. The combination of SSN plus health-plan identifiers makes this dataset particularly attractive for identity theft and medical-benefit fraud.
Who is notifying you
Lockton, as a HIPAA business associate, mailed the individual notice letters directly. If you are affected, the envelope will reference Southeast Series of Lockton Companies, LLC and may also identify the employer or benefit plan whose data was involved. You may additionally receive a separate notification from your employer or plan administrator (the covered entity) about the same event. Both letters describe the same incident.
If you have not received a letter but believe you were on an employer plan brokered by Lockton in 2024, your employer’s HR or benefits team can confirm whether your records were in the affected files.
Class-action and regulatory posture
The breach drew an unusually fast wave of plaintiff-firm activity. Roughly 11 putative class actions were filed in 2025, alleging Lockton failed to implement reasonable security controls (including MFA and access segmentation) on the single employee account that was compromised. The cases were consolidated and settled in early 2026 for $9.9 million without admission of liability:
- $3.0 million earmarked for documented out-of-pocket losses, capped at $5,000 per claimant.
- $5.9 million common fund covering pro rata cash payments, attorneys’ fees, administration costs, and a one-year CyEx Financial Shield Complete identity-protection membership for all class members.
The settlement received preliminary approval on January 8, 2026 (Case No. 2516-CV36137, Circuit Court of Jackson County, Missouri). The claims deadline was April 7, 2026. The final approval hearing was held on May 7, 2026 at the Eastern Jackson County Courthouse. As of May 18, 2026, settlement administrator Kroll Settlement Administration LLC began distributing CyEx Financial Shield Complete activation codes to class members via postcard and email.
State attorneys general in Texas, Massachusetts, Maine, South Carolina, and others received breach notices. The Maine AG portal confirmed 3,590 Maine residents were affected. No separate AG enforcement actions have been announced. The HHS OCR investigation remained on the public portal as of the settlement.
Plaintiff firms and class counsel active in the litigation included Strauss Borrelli PLLC, Federman & Sherwood, Murphy Law Firm, McShane & Brady LLC, Kopelowitz Ostrow Ferguson Weiselberg Gilbert P.A., Milberg Coleman Bryson Phillips Grossman LLP, and the Schubert Law Firm (SLFLA).
What to do
- Activate your CyEx Financial Shield Complete monitoring. The claims deadline passed on April 7, 2026, but all class members remain automatically entitled to one year of CyEx monitoring. Activation codes were mailed by postcard and emailed starting May 18, 2026. Check TheLocktonDataSettlement.com or call (833) 754-7264 for your code if you have not received it.
- Freeze your credit at Equifax, Experian, and TransUnion. It is free and is the single highest-leverage step against new-account fraud. The SSN plus health-plan identifier combination exposed here is particularly useful to identity thieves for opening new credit lines and committing medical-benefit fraud.
- File IRS Form 14039 if you have not already done so. The exposure of Social Security numbers creates direct tax-refund fraud risk for multiple filing seasons.
- Watch for medical-benefit fraud, not just credit fraud. Review explanation-of-benefits statements from your health plan for services you did not receive, and request a copy of your medical-benefit history from your insurer at least once over the next 24 months.
- Confirm with your employer’s HR or benefits team whether your plan was among those Lockton brokered in 2024 if you are unsure why you received a notice.
- Stop the ongoing flow of your health insurance and benefits data. HealthConsent files HIPAA restriction requests so the employer-plan information exposed in this breach is not continuously re-shared across insurance networks and downstream benefit administrators.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record of the breach.
- HIPAA Journal — Lockton to Pay $9.9 Million to Settle Data Breach Litigation — settlement terms, claim deadlines, OCR filing details.
- Defensorum — Multiple Lawsuits Filed Against Southeast Series of Lockton Companies — incident timeline, downstream client sectors, updated affected count.
- ClassAction.org — Southeast Series of Lockton Companies Data Breach Lawsuit — class-action investigation and Texas AG filing.
- ClaimDepot — Lockton Data Breach Affects Over One Million Americans — full enumerated list of exposed data fields and notification dates.
- Strauss Borrelli PLLC — Lockton Data Breach Investigation — plaintiff-firm investigation page, Massachusetts AG filing.
- South Carolina Department of Consumer Affairs — Lockton breach notice (PDF) — state AG-filed notification.
- Maine Attorney General — Lockton data breach notice — 3,590 Maine residents affected; total affected count per filing 1,154,625.
- TheLocktonDataSettlement.com — Official settlement website — case details, class member benefits, activation code distribution (as of May 18, 2026).
- Top Class Actions — $9.9M Lockton Southeast Data Breach Class Action Settlement — settlement listed as closed; CyEx monitoring benefit details.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Lockton to Pay $9.9 Million to Settle Data Breach Litigation
- Defensorum — Multiple Lawsuits Filed Against Southeast Series of Lockton Companies
- ClassAction.org — Southeast Series of Lockton Companies Data Breach Lawsuit
- ClaimDepot — Lockton Data Breach Affects Over One Million Americans
- Strauss Borrelli PLLC — Lockton Data Breach Investigation
- South Carolina Department of Consumer Affairs — Lockton breach notice (PDF)
- Maine Attorney General — Lockton data breach notice (3,590 Maine residents)
- Beasley v. Southeast Series of Lockton Companies — Settlement Website (TheLocktonDataSettlement.com)
- Top Class Actions — $9.9M Lockton Southeast Data Breach Class Action Settlement
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.