From Polsinelli PC:
In two separate but related actions, third party administrators (TPAs) and their insurance business partners agreed to substantial settlements to resolve allegations that they failed to adequately safeguard sensitive data from cyberattacks. Though neither case involved a finding of fault, both spotlight a growing trend: plaintiffs and regulators are treating basic cybersecurity failures as actionable — and expensive.
In the first case, which settled in September 2025, a TPA serving self-funded employers and its co-defendant insurers agreed to pay $13.75 million to resolve claims tied to a 2023 data breach. The incident allegedly compromised the protected health information (PHI) of more than 2.5 million individuals, including a subclass of California residents. The TPA and its co-defendants were named in 13 class action lawsuits over the data breach, which were consolidated into a single action in the U.S. District Court for the Northern District of Texas, Dallas Division. The consolidated lawsuit alleged the TPA and its co-defendants failed to implement reasonable cybersecurity measures to protect sensitive data and information. Although they denied liability, the TPA and insurers agreed to settle.
The second settlement, finalized in October 2025, resolved a Texas class action lawsuit involving a 2024 data breach that allegedly impacted the personal and health information of more than 800,000 policyholders’ records held by a Texas-based TPA.
Read more at The National Law Review.
