Insurance Companies Third Party Administrators Settle Cybersecur
ppp
ppIn two separate but related actions third party administrators TPAs and their insurance business partners agreed to substantial settlements to resolve allegations that they failed to adequately safeguard sensitive data from cyberattacks Though neither case involved a finding of fault both spotlight a growing trend plaintiffs and regulators are treating basic cybersecurity failures as actionable and expensiveppFor TPAs and insurers the message is clear even without an admission of wrongdoing perceived data security missteps can carry steep legal and financial consequencesppIn the first case which settled in September 2025 a TPA serving selffunded employers and its codefendant insurers agreed to pay 1375 million to resolve claims tied to a 2023 data breach The incident allegedly compromised the protected health information PHI of more than 25 million individuals including a subclass of California residents The TPA and its codefendants were named in 13 class action lawsuits over the data breach which were consolidated into a single action in the US District Court for the Northern District of Texas Dallas Division The consolidated lawsuit alleged the TPA and its codefendants failed to implement reasonable cybersecurity measures to protect sensitive data and information Although they denied liability the TPA and insurers agreed to settleppThe second settlement finalized in October 2025 resolved a Texas class action lawsuit involving a 2024 data breach that allegedly impacted the personal and health information of more than 800000 policyholders records held by a Texasbased TPA The suit alleged that the TPA and its insurer partners in failing to implement reasonable cybersecurity measures failed to prevent a cyberattack that exposed names health insurance information Social Security numbers and financial account details As with the earlier case the defendants did not admit liability but agreed to a 6 million settlementppTogether these settlements reinforce a growing reality organizations that handle large volumes of sensitive data especially TPAs and insurers must treat cybersecurity as a core compliance function not just an IT issue As plaintiffs and regulators continue to focus on what constitutes reasonable protections failure to meet that standard can expose companies to costly class actions regardless of intent or admission of faultppCompanies in all industry sectors are struggling to keep pace with cybersecurity threats but for TPAs in particular these cases highlight the need to regularly review internal data security practices strengthen breach response protocols and evaluate thirdparty risk The cost of inaction isnt just theoretical its reputational regulatory and increasingly financialppppYou are responsible for reading understanding and agreeing to the National Law Reviews NLRs and the National Law Forum LLCs Terms of Use and Privacy Policy before using the National Law Review website The National Law Review is a free to use nolog in database of legal and business articles The content and links on wwwNatLawReviewcom are intended for general information purposes only Any legal analysis legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice No attorneyclient or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms attorneys or other professionals or organizations who include content on the National Law Review website If you require legal or professional advice kindly contact an attorney or other suitable professional advisor ppSome states have laws and ethical rules regarding solicitation and advertisement practices by attorneys andor other professionals The National Law Review is not a law firm nor is wwwNatLawReviewcom intended to be a referral service for attorneys andor other professionals The NLR does not wish nor does it intend to solicit the business of anyone or to refer anyone to an attorney or other professional NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us ppUnder certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements Attorney Advertising Notice Prior results do not guarantee a similar outcome Statement in compliance with Texas Rules of Professional Conduct Unless otherwise noted attorneys are not certified by the Texas Board of Legal Specialization nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional CredentialsppThe National Law Review National Law Forum LLC 2070 Green Bay Rd Suite 178 Highland Park IL 60035 Telephone 708 3573317 or toll free 877 3573317 If you would ike to contact us via email please click hereppCopyright 2025 National Law Forum LLCp
ppIn two separate but related actions third party administrators TPAs and their insurance business partners agreed to substantial settlements to resolve allegations that they failed to adequately safeguard sensitive data from cyberattacks Though neither case involved a finding of fault both spotlight a growing trend plaintiffs and regulators are treating basic cybersecurity failures as actionable and expensiveppFor TPAs and insurers the message is clear even without an admission of wrongdoing perceived data security missteps can carry steep legal and financial consequencesppIn the first case which settled in September 2025 a TPA serving selffunded employers and its codefendant insurers agreed to pay 1375 million to resolve claims tied to a 2023 data breach The incident allegedly compromised the protected health information PHI of more than 25 million individuals including a subclass of California residents The TPA and its codefendants were named in 13 class action lawsuits over the data breach which were consolidated into a single action in the US District Court for the Northern District of Texas Dallas Division The consolidated lawsuit alleged the TPA and its codefendants failed to implement reasonable cybersecurity measures to protect sensitive data and information Although they denied liability the TPA and insurers agreed to settleppThe second settlement finalized in October 2025 resolved a Texas class action lawsuit involving a 2024 data breach that allegedly impacted the personal and health information of more than 800000 policyholders records held by a Texasbased TPA The suit alleged that the TPA and its insurer partners in failing to implement reasonable cybersecurity measures failed to prevent a cyberattack that exposed names health insurance information Social Security numbers and financial account details As with the earlier case the defendants did not admit liability but agreed to a 6 million settlementppTogether these settlements reinforce a growing reality organizations that handle large volumes of sensitive data especially TPAs and insurers must treat cybersecurity as a core compliance function not just an IT issue As plaintiffs and regulators continue to focus on what constitutes reasonable protections failure to meet that standard can expose companies to costly class actions regardless of intent or admission of faultppCompanies in all industry sectors are struggling to keep pace with cybersecurity threats but for TPAs in particular these cases highlight the need to regularly review internal data security practices strengthen breach response protocols and evaluate thirdparty risk The cost of inaction isnt just theoretical its reputational regulatory and increasingly financialppppYou are responsible for reading understanding and agreeing to the National Law Reviews NLRs and the National Law Forum LLCs Terms of Use and Privacy Policy before using the National Law Review website The National Law Review is a free to use nolog in database of legal and business articles The content and links on wwwNatLawReviewcom are intended for general information purposes only Any legal analysis legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice No attorneyclient or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms attorneys or other professionals or organizations who include content on the National Law Review website If you require legal or professional advice kindly contact an attorney or other suitable professional advisor ppSome states have laws and ethical rules regarding solicitation and advertisement practices by attorneys andor other professionals The National Law Review is not a law firm nor is wwwNatLawReviewcom intended to be a referral service for attorneys andor other professionals The NLR does not wish nor does it intend to solicit the business of anyone or to refer anyone to an attorney or other professional NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us ppUnder certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements Attorney Advertising Notice Prior results do not guarantee a similar outcome Statement in compliance with Texas Rules of Professional Conduct Unless otherwise noted attorneys are not certified by the Texas Board of Legal Specialization nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional CredentialsppThe National Law Review National Law Forum LLC 2070 Green Bay Rd Suite 178 Highland Park IL 60035 Telephone 708 3573317 or toll free 877 3573317 If you would ike to contact us via email please click hereppCopyright 2025 National Law Forum LLCp
