Blank Rome identified the breach within two hours on May 21 and deleted the uploaded files by May 28. The firm did not mail breach notification letters to affected individuals until June 26—a month after the intrusion. The delayed notification forms the core of the negligence allegations. Regulatory bodies including the California Attorney General were notified, and law enforcement is investigating. Affected individuals are being offered 12 to 24 months of complimentary credit monitoring through Epiq's Privacy Solutions.
The class action filing this week underscores the mounting litigation risk facing law firms over data breaches, particularly those involving social-engineering attacks that bypass technical controls. For in-house counsel and firm leadership, the case highlights two exposure points: the vulnerability of attorney-level access to sensitive systems and the legal consequences of notification delays. The inclusion of Social Security numbers and medical data creates prolonged identity-theft risk for affected parties, making the month-long gap between discovery and notification a focal point for damages claims.