About

Blank Rome Hit With Two Class Actions After May Data Breach Exposes 57,000 Clients

Published
Score
20

Why it matters

Blank Rome LLP, a Philadelphia-based firm, faces two proposed class-action lawsuits following a May 2026 data breach that compromised the personal information of 57,554 current, former, and prospective clients. A cybercriminal impersonating an IT staff member tricked an attorney into uploading sensitive files to an unauthorized external Google Drive. The exposed data includes Social Security numbers, medical records, driver's license numbers, passport information, and health insurance details.

The lawsuits, filed July 6 in the Eastern District of Pennsylvania, name Blank Rome as defendant and include lead plaintiffs Laura Delapaz and former California clients. The complaints allege negligence, breach of contract, breach of fiduciary duty, and violations of consumer protection statutes, specifically targeting the firm's failure to implement adequate staff training to identify social engineering schemes and its lack of industry-standard cybersecurity safeguards. The plaintiffs cite violations of HIPAA and the Federal Trade Commission Act.

Attorneys should monitor this case as a bellwether for data breach liability in the legal sector. The scale of exposure—over 57,000 individuals with critical identity data—and the straightforward negligence theory (inadequate IT security training) create significant precedent for similar claims against other firms. As the FBI has previously warned the legal profession about IT impersonation scams, courts may view failures to implement basic defense protocols as particularly culpable. Firms should audit their own email authentication systems, staff training protocols, and file-sharing restrictions now.

Sources

mail Subscribe to Privacy email updates

Primary sources. No fluff. Straight to your inbox.

Also on LawSnap