Data Breach Investigation

1 Million People Had Their Medical Records Stolen From Lockton Companies

EvilCorporations.com • Case No. 2516-CV36137, Circuit Court of Jackson County, Missouri • 64 min read

An Unauthorized Intruder Stole the Medical Records of a Million Workers

Lockton Companies collects some of the most sensitive personal data that exists. As a major insurance and employee benefits broker, it sits between employers and their workers’ health plans, accumulating Social Security numbers, dates of birth, health diagnoses, and medical histories for everyone enrolled. On November 20, 2024, that data walked out the door.

• November 20, 2024: Defendants discovered “suspicious activity” on one of their computers. An investigation confirmed an unauthorized individual had accessed computer files containing the Private Information of approximately one million people.
• The stolen data is classified in the settlement as “Private Information,” defined to include: names, Social Security numbers, dates of birth, health information, and medical information. This is the most complete package of identity-theft material that exists.
• The victims spanned a broad population: Lockton’s own current and former employees, employees of Lockton’s corporate clients (current and former), and those workers’ dependents and beneficiaries. Children on family health plans are included in this count.
• Lockton’s clients whose employees were caught in the breach include major corporations. The settlement names Dollar Tree Inc., Family Dollar Stores LLC, Sterling Pharma Solutions, and House of Raeford Farms, Inc. as Released Parties, meaning their workers’ data was affected and they are protected from lawsuits under the settlement’s terms.
• March 2025: Defendants sent notification letters to affected individuals. That means a minimum of roughly four months elapsed between discovery and notification, during which victims had no way to protect themselves.
• Ten separate class action lawsuits were filed in the Western District of Missouri. Plaintiffs’ counsel consolidated the cases and appointed lead counsel from Milberg PLLC and Kopelowitz Ostrow P.A., with McShane & Brady, LLC as liaison counsel and additional firms on an executive committee.
• September 3, 2025: Parties attended a formal mediation in Los Angeles, California, which failed to produce an agreement. Negotiations continued for weeks afterward, with settlement on all material terms reached in October 2025.
• The case was filed in state court in Jackson County, Missouri on November 3, 2025, after the parties agreed state jurisdiction was proper and dismissed the federal actions.

What a Million People Lost That No Settlement Check Will Ever Replace

Think about what Lockton had on file for you. Not a username and a password. Not a credit card number you can cancel in five minutes. They had your Social Security number, the nine-digit key that the entire American financial and government system uses to identify you as a human being. They had your date of birth. They had your health information and your medical records: what conditions you carry, what medications you take, what diagnoses have been written into the insurance system under your name.

That information does not expire. You cannot reset it the way you reset a password. Your Social Security number is yours for life, and so is the damage done once it ends up on the dark web. The people who buy this data know exactly what to do with it. They open credit accounts in your name. They file fraudulent tax returns to collect your refund before you do. They use your medical identity to bill insurance companies for procedures you never had, which corrupts your medical history in ways that can follow you into emergency rooms for decades. Some people spend years cleaning up the aftermath of a single breach like this one.

Now consider who Lockton’s victims actually were. These were not the wealthy or the well-connected. These were workers: employees of Dollar Tree and Family Dollar, people stocking shelves and running registers at discount retailers where the average wage hovers around minimum wage. These were workers at House of Raeford Farms, a poultry processing company whose workforce includes a significant proportion of immigrant and low-income workers who may have less access to credit monitoring services, less familiarity with identity theft remediation, and fewer resources to absorb the financial hit of fraudulent accounts opened in their names. These were pharmaceutical workers, retirees who left employment years ago and have no idea they were ever in Lockton’s system, and children enrolled as dependents on a parent’s health plan who did not consent to any of this and whose data may sit dormant for years before someone tries to use it.

The settlement gives each of these people one year of credit monitoring through a service called CyEx Financial Shield Complete. One year. After that, the monitoring stops, and the stolen data does not. The perpetrators who accessed those files in November 2024 still have them. The information does not get deleted from wherever it landed. The risk does not end when the monitoring subscription expires.

There is also the specific indignity of what was stolen: medical information. Health data is among the most intimate information a person generates. It records the worst moments of your life, your diagnoses, your treatments, the vulnerabilities that employers, insurers, and creditors would exploit if they could get their hands on them. Most people who go to work at a discount retailer or a poultry processing plant do not sit down and think about the fact that their employer’s insurance broker has filed their mental health diagnoses and prescriptions into a database on a computer that, as it turned out, was not adequately secured. They did not choose to share that information with whoever broke into Lockton’s systems. They had no say in it.

Lockton knew something was wrong on November 20, 2024. They held that knowledge for four months before telling the people whose lives were at risk. During those four months, those workers went to work every day, checked their mail, looked at their bank accounts, with no idea that the most sensitive information they possessed had already been compromised. The settlement agreement does not call this a delay or a failure. It calls the attack a “Data Incident” and moves efficiently toward a dollar amount and a release of all claims.

Verbatim From the Settlement: What the Documents Actually Say

These are direct quotes from the court-filed settlement agreement. Nothing is paraphrased. The language is Lockton’s and their attorneys’.

“On November 20, 2024, Defendants discovered suspicious activity on one of their computers. After an investigation, Defendants determined that an unauthorized individual accessed certain computer files containing the Private Information of approximately one million individuals.”

“In March 2025, Defendants sent letters to the individuals whose Private Information was impacted in the Data Incident.”

“‘Private Information’ means Settlement Class Members’ information that may have been impacted in the Data Incident, which includes names, Social Security numbers, dates of birth, health information, and medical information.”

“‘Released Parties’ means Southeast Series of Lockton Companies, LLC, Lockton Companies, LLC, Dollar Tree Inc., Family Dollar Stores LLC, Sterling Pharma Solutions, House of Raeford Farms, Inc., and all of Defendants’ impacted clients and/or entities, and their respective past, present and future direct and indirect parents, subsidiaries, affiliates, divisions, departments, predecessors, successors and assigns, and any and all of their past, present, and future directors, officers, executives, officials, principals, stockholders, heirs, agents, associates, insurers, reinsurers, members, attorneys, accountants, actuaries, employees, fiduciaries, advisors, consultants, representatives, partners, joint venturers, licensees, licensors, independent contractors, subrogees, trustees, executors, administrators, benefit plan enrollees, associated third Parties, predecessors, successors and assigns, and any other person acting on Defendants’ behalf, in their capacity as such.”

“Defendants do not in any way acknowledge, admit to, or concede any of the allegations made in the Complaint, and disclaim and deny any fault or liability, or any charges of wrongdoing that have been or could have been asserted in the Complaint.”

“In the event that more than two percent of the Settlement Class submits timely and valid opt-out requests, Defendants may, by notifying Class Counsel in writing, void this Settlement Agreement within five business days of receipt of the final opt-out list from the Settlement Administrator.”

$9.9 Million Sounds Like a Lot. Here Is Where It Actually Goes.

The headline number in this settlement is $9.9 million. That figure requires unpacking, because the path from $9.9 million to what any individual victim actually receives involves multiple deductions that the settlement documents quietly bury in definitional sections.

• The $9.9 million “Settlement Value” is described as “the total cash compensation that Defendants have agreed, subject to the terms of the Settlement, to make available.” This is the ceiling, not the floor.
• The $5.9 million “Common Settlement Fund” is the non-reversionary core fund from which administration costs, attorney fees (up to $1,966,666.66), service awards, and credit monitoring costs are all paid before any victim sees a dollar.
• A separate $3 million pool is reserved for documented loss claims (Cash Payment A), capped at $5,000 per person. If total documented claims exceed $3 million, each payment is reduced pro rata.
• An additional $1 million is payable by Defendants specifically toward attorneys’ fees, bringing the total potential legal fee award to $2,966,666.67. Attorneys can receive close to $3 million of the $9.9 million total.
• Class Representatives (the 14 named plaintiffs) may each receive a $2,500 service award, totaling up to $35,000, paid from the Common Settlement Fund before pro rata distributions.
• Settlement administration costs paid to Kroll Settlement Administration, LLC come out of the Common Settlement Fund before victims are paid. The exact amount is not specified in the document, but data breach administration for a one-million-person class typically runs into six figures.
• After all deductions, the Net Settlement Fund is divided equally among everyone who filed a valid Cash Payment B claim. With one million potential class members, even if only a fraction files, the per-person amount is likely to be minimal. The settlement provides no guaranteed floor for Cash Payment B recipients.

What Lockton’s Exposure Translates to in Human Terms

How This Breach Damages Real Communities Beyond Individual Victims

Public Health Consequences

The theft of medical information at this scale creates compounding harms that extend well beyond financial fraud.

• Medical identity theft allows criminals to bill insurance systems in victims’ names for services never rendered. When fraudulent records are entered into a victim’s health file, future treating physicians can receive false information about allergies, current medications, and diagnoses, creating the risk of dangerous treatment decisions in emergency situations where a victim cannot correct the record in real time.
• Victims whose mental health diagnoses and treatment records were included in the breach face the specific threat of that information surfacing in employment background checks, insurance underwriting decisions, or custody proceedings, deterring people from seeking mental health care in the future out of fear of repeat exposure.
• Dependents enrolled on a parent’s health plan, including minor children, had their health information stolen. A child’s medical record may not be tested for fraud for many years, meaning the harm could remain dormant and undiscovered until the child reaches adulthood and begins applying for credit, employment, or their own insurance coverage.
• The settlement provides only one year of credit monitoring. Health information breaches carry risks that persist for decades. The mismatch between a 12-month remedy and a lifetime of potential exposure means a significant portion of victims will face fraud attempts after their monitoring coverage has expired with no recourse under this settlement.

Economic Inequality

The distribution of harm from this breach falls most heavily on workers with the fewest resources to absorb it.

• Dollar Tree and Family Dollar employees are among the lowest-paid retail workers in the United States, with reported median hourly wages frequently near or at state minimum wage levels. Identity theft remediation, including hiring credit repair professionals or attorneys, requires money and time that hourly retail workers are least positioned to spend.
• House of Raeford Farms is a major poultry processor. Workers in meat and poultry processing facilities disproportionately include immigrant workers and workers of color who may face language barriers when navigating identity theft reporting systems, credit bureaus, and claims processes administered in English.
• The pro-rata Cash Payment B option delivers the same dollar amount to a Dollar Tree cashier whose Social Security number is being used to open credit accounts as it does to a white-collar Lockton employee with resources to manage the fallout independently. The settlement structure is blind to the profound difference in impact across income levels.
• The requirement to submit documented evidence for the $5,000 Cash Payment A tier disadvantages victims who never received bills or statements confirming fraud, whose losses were absorbed informally, or who lack the organizational capacity to compile receipts, attorney invoices, and credit agency documentation under deadline pressure.
• If more than 2% of class members opt out, Lockton can void the entire settlement, a provision that creates a structural disincentive for community organizers to inform victims of their opt-out rights. Workers who do not know about this clause may have their access to even the small pro-rata payment jeopardized by other victims exercising their legal rights.
• Residual funds that remain unclaimed after 120 days go to the International Association of Privacy Professionals Scholarship Fund, a professional trade organization. Unclaimed money from working-class victims of a corporate data breach flows to a scholarship fund for privacy industry professionals, not to the communities most harmed.

The Claim Process Puts Every Barrier on Victims, Not on Lockton

To receive any money from this settlement, victims must navigate a process designed by the people who were supposed to protect their data in the first place. Every step in that process has a built-in exit ramp that results in a victim getting nothing.

• Victims must submit a Claim Form by a deadline set as 30 days before the Final Approval Hearing. No deadline is specified yet in the settlement documents; the date is listed as a placeholder. Victims who miss the deadline for any reason, including never receiving notice, receive zero compensation and still give up their right to sue.
• Cash Payment A, which pays up to $5,000, requires submitting documentation proving losses are “fairly traceable to the Data Incident.” This is a legal standard that most working people have no capacity to meet. Handwritten records alone are insufficient; receipts must come from third parties. Losses that were real but undocumented do not qualify.
• Cash Payment B, the pro-rata option, requires no documentation but pays an amount “that will be known following the submission of all claims.” Victims are being asked to sign away all future legal rights in exchange for a check amount that is literally unknown at the time they must decide whether to opt out.
• The Settlement Administrator, Kroll Settlement Administration LLC, has sole authority to determine whether a claim is valid. A rejected claim is final unless the parties dispute it within 10 days. There is no independent appeals process for individual victims whose claims are rejected.
• Victims who do nothing, meaning they never see the notice or do not understand its implications, are bound by the settlement anyway, forfeit all benefits, and permanently lose the right to sue. The opt-out window requires sending a signed letter by mail with a postmark no later than the Opt-Out Deadline.
• Enrollment codes for the one year of CyEx monitoring are sent as part of the class notice but only become active within ten days of the Effective Date. Victims who lose the email or do not activate their code have no second opportunity described in the settlement documents.

What Affected Workers and Their Communities Can Do Right Now

The settlement is pending final court approval. Before that happens, there are concrete actions that give victims more leverage than a small pro-rata check. Know your options before the deadline closes.

Who to Hold Accountable

• Defendants are Southeast Series of Lockton Companies, LLC and Lockton Companies, LLC. Defendants’ counsel is Shook, Hardy & Bacon L.L.P., represented by Alfred J. Saikali.
• Class Counsel includes Jeff Ostrow of Kopelowitz Ostrow P.A., Gary Klinger of Milberg PLLC, and Maureen Brady of McShane & Brady, LLC. These attorneys are requesting up to $2,966,666.67 in fees.
• The Settlement Administrator handling claims is Kroll Settlement Administration, LLC.
• Employer clients whose workers were affected include the publicly identifiable corporate defendants: Dollar Tree Inc., Family Dollar Stores LLC, Sterling Pharma Solutions, and House of Raeford Farms, Inc.

Regulatory Watchlist

• Federal Trade Commission (FTC): The FTC regulates unfair or deceptive practices and has jurisdiction over data security failures at companies handling consumer data. File a complaint at ftc.gov/complaint and report the four-month notification delay.
• State Attorneys General: Every U.S. state has data breach notification laws. The victims in this case are spread across multiple states. Contact your state AG’s office and reference Case No. 2516-CV36137, the November 20, 2024 breach date, and the March 2025 notification date.
• Department of Health and Human Services (HHS) Office for Civil Rights: If Lockton’s systems held health plan data covered under HIPAA, the breach may require federal reporting. File a complaint at hhs.gov/ocr if you believe your protected health information was included.
• Consumer Financial Protection Bureau (CFPB): If you have experienced financial fraud, unauthorized credit accounts, or identity theft attributable to this breach, file a report at consumerfinance.gov/complaint.
• Missouri Attorney General’s Office: This case is pending in Jackson County, Missouri. The Missouri AG has direct jurisdiction over consumer protection and data security matters involving Missouri-based corporate defendants.

Concrete Steps for Affected Workers

• File a fraud alert or security freeze immediately with all three major credit bureaus (Equifax, Experian, TransUnion). This is free under federal law and does not require waiting for the settlement process to complete. A security freeze is more protective than a fraud alert and also free.
• Document every cost you have incurred since November 2024 related to identity monitoring, credit repair, attorney consultations, or fraudulent account resolution. Keep all receipts. This documentation is required for the higher Cash Payment A tier of up to $5,000.
• Consider opting out if you have suffered significant, documentable losses and want to pursue your own lawsuit. Opt-out requires a signed letter mailed to the Settlement Administrator before the Opt-Out Deadline. If you stay in the settlement, you permanently waive all future claims.
• File an IRS Identity Protection PIN request at irs.gov. With Social Security numbers confirmed stolen, fraudulent tax filings are a primary risk. An IP PIN prevents someone else from filing a federal tax return in your name.
• Tell coworkers. Dollar Tree, Family Dollar, House of Raeford, and Sterling Pharma workers may not know their data was in Lockton’s systems. Many hourly workers will not read the settlement notice carefully or at all. Peer-to-peer information sharing within workplaces, break rooms, and union networks reaches people that legal mailings do not.
• Contact your union if you work in a unionized facility. The House of Raeford workforce has union representation in some facilities. Unions can negotiate for employer-funded identity protection services, require notification of data incidents in bargaining agreements, and provide collective legal resources for members navigating identity theft.
• Monitor your medical records through your health insurer’s explanation-of-benefits statements for procedures, prescriptions, or claims you did not authorize. Medical identity theft often does not show up on a credit report; it shows up in your health file.