Steven L. Imber, Justin T. Liby, Jennifer L. Osborn, Zachary R. Dyer, and Pavel (Pasha) A. Sternberg of Polsinelli PC write:
In two separate but related actions, third party administrators (TPAs) and their insurance business partners agreed to substantial settlements to resolve allegations that they failed to adequately safeguard sensitive data from cyberattacks.
In the first case, which settled in September 2025, a TPA serving self-funded employers and its co-defendant insurers agreed to pay $13.75 million to resolve claims tied to a 2023 data breach. The incident allegedly compromised the protected health information (PHI) of more than 2.5 million individuals, including a subclass of California residents. The TPA and its co-defendants were named in 13 class action lawsuits over the data breach, which were consolidated into a single action in the U.S. District Court for the Northern District of Texas, Dallas Division. The consolidated lawsuit alleged the TPA and its co-defendants failed to implement reasonable cybersecurity measures to protect sensitive data and information. Although they denied liability, the TPA and insurers agreed to settle.
The second settlement, finalized in October 2025, resolved a Texas class action lawsuit involving a 2024 data breach that allegedly impacted the personal and health information of more than 800,000 policyholders’ records held by a Texas-based TPA. The suit alleged that the TPA and its insurer partners — in failing to implement reasonable cybersecurity measures — failed to prevent a cyberattack that exposed names, health insurance information, Social Security numbers and financial account details. As with the earlier case, the defendants did not admit liability but agreed to a $6 million settlement.
Read more at The National Law Review.