What Half a Million People Actually Lost

There is a document floating in a federal courthouse in Waco, Texas, that describes your Social Security number as “potentially involved.” That word, potentially, is doing a lot of heavy lifting. It is the word a company uses when it wants to acknowledge that something bad happened without fully owning what that something is. If your Social Security number was in AIL’s systems when that extractor ran their tool, your SSN is out there. Potentially is not the word you use when you find out your own number got taken. You use words like “ruined” and “terrified” and “how do I fix this.”

Think about who buys life insurance and supplemental health insurance from American Income Life. These are not tech-sector professionals with identity protection services already on their laptops. AIL specifically markets to working-class families, union members, hourly workers, people who live paycheck to paycheck and whose financial lives cannot absorb one fraudulent charge, one frozen account, one week of fighting with a bank. These are people for whom a declined payment on the first of the month can start a cascade: missed rent, late fees, damaged credit, and then the months of disputing records that follow. Their insurance company, the company they trusted with their most sensitive information as a condition of getting coverage, left that information exposed to an extortionist.

Health-related information is not like a credit card number. You can cancel a credit card. You cannot cancel your medical history. If your health insurance policy information is now in the hands of someone who wants to misuse it, that person knows what conditions you have been treated for, what medications you take, what your coverage looks like. That information can be used to discriminate against you in ways you will never trace back to this breach. It can be sold to data brokers who sell it to employers, landlords, and lenders. The harm does not announce itself. It accumulates quietly until one day you are denied something and you do not know exactly why.

The settlement offers up to $72 for time spent “dealing with anxiety, stress, and loss of sleep.” Read that again. The company that held your health records and Social Security number while an extortionist threatened to publish them will compensate you for your anxiety at $18 an hour, up to four hours. The implicit message is that your distress, your sleepless nights, your hours on the phone with your bank, your fear about what might happen next, is worth approximately the cost of two movie tickets. The 532,578 people in this class include people who will spend years looking over their financial shoulder because of this breach. The settlement asks them to sign away any right to pursue further accountability in exchange for that.

And crucially, the settlement explicitly includes “Unknown Claims” in the release. That means you are not just giving up your right to sue over harms you already know about. You are giving up your right to sue over harms you do not yet know exist. If your data is used to steal your identity five years from now, if it is used to take out a loan in your name, if it ends up in a healthcare fraud scheme that attaches medical debt to your record, you cannot come back. The door closes the moment the court grants final approval and you fail to opt out.

The three named plaintiffs, Patsy Decow, Thomas Harris, and Kathleen McAllister, will each receive $5,000 service awards for representing the class. That is more than 69 times the maximum lost-time payment available to every one of the other 532,575 people in the class. Service awards for class representatives are standard practice in class action law, but the stark numerical gap between what the named plaintiffs receive and what everyone else gets is worth sitting with for a moment.

What the Court Documents Actually Say

The settlement agreement filed on February 12, 2026 in the Western District of Texas contains language that tells a very specific story. Here are the key passages, verbatim, with plain-language breakdowns of what they admit.

• This confirms the breach was an extortion event, not merely a passive exposure. An actor accessed the data and had leverage over it.
• Globe Life disclosed the extortion threat to the SEC on October 17, 2024, but did not begin notifying affected customers until March 2025, a minimum five-month gap.
• The form 8-K filing is a securities disclosure required because Globe Life is publicly traded. Shareholders learned about the threat before customers did.

• The notification window ran from March to June 2025, meaning some people received notice eight or more months after the October 2024 incident.
• During those months, affected individuals had no opportunity to take protective action: no credit freeze, no identity monitoring, no fraud alerts, nothing.
• The phrase “after notifying law enforcement and consulting with experts” is used to explain the delay, but it does not establish that eight months of investigation was necessary before customers could be warned.

• This is the full scope of what was exposed. Social Security numbers paired with health information and insurance policy details is one of the most complete packages of personal data a fraudster or identity thief could want.
• The phrase “including, but not limited to” means the disclosed categories are a floor, not a ceiling. Additional data types may have been involved that are not listed here.

• Globe Life and AIL are paying $3.4 million to make this lawsuit go away without admitting they did anything wrong. This is standard legal practice in class action settlements, but it means there is no official finding of negligence on the record.
• Without an admission, there is no enforceable public record requiring Globe Life to change its data security practices.

• Every class member who does not opt out surrenders the right to sue over this breach, including over future harms they do not yet know about.
• This release specifically waives rights equivalent to California Civil Code Section 1542, which protects people from unknowingly signing away rights to unknown future claims. That protection is explicitly stripped.

• The $3.4 million cap is fixed regardless of how many people file valid claims. If even a fraction of the 532,578 class members file for the maximum documented loss amount of $5,000, the pool is exhausted and every payment is slashed proportionally.
• Defendants bear no additional financial risk if claims volume is high. The cap protects them; it does not protect the class.

• The settlement formally recognizes that anxiety, stress, and loss of sleep are real, compensable harms caused by this breach. Then it values those harms at $18/hour for up to four hours.
• Settlement Class Members must self-certify that they spent time responding to the incident. No third-party documentation is required for this payment tier, making it the most accessible claim.

The Damage Beyond the Dollar Amount

A data breach at an insurance company is not just a corporate IT failure. It is a public health event, an economic attack on working-class families, and a systemic breach of the trust that makes insurance products function at all. Here is the documented impact across two critical categories.

When health-related information and insurance policy data is exposed, the consequences run far deeper than financial fraud.

• Health insurance policy information in criminal hands can be used to commit medical identity theft, which means fraudulent charges can appear on a victim’s insurance record, exhausting their coverage limits and leaving them without benefits for legitimate medical needs.
• When Social Security numbers are paired with health records, that combination can be used to file fraudulent tax returns, Social Security disability claims, and Medicare or Medicaid claims in a victim’s name, entangling them in government fraud investigations for years.
• Mental health harms are formally acknowledged in this settlement. The document explicitly compensates for “anxiety, stress, and loss of sleep,” establishing that psychological harm from data breaches is real and measurable. The settlement’s own structure confirms that 532,578 people experienced documented psychological harm as a direct consequence of this breach.
• The settlement’s compensable losses include “professional fees paid to address identity fraud,” which implies the defendants’ own lawyers anticipated that some portion of the 532,578 people would need to hire fraud specialists, attorneys, or accountants to untangle the downstream consequences of this breach on their health and financial records.
• Health-related information cannot be changed or revoked once exposed. Unlike a credit card number, a medical history follows a person permanently. The long-term health insurance discrimination risk, though difficult to quantify in a settlement, is a real and ongoing harm for each affected individual.

The economic harm from this breach falls disproportionately on the people least equipped to absorb it.

• American Income Life specifically markets to working-class families, including union members and hourly workers. This is not a breach of a luxury financial product. The people whose data was taken are the same people who cannot afford extended disruption to their bank accounts, credit scores, or insurance coverage.
• The settlement provides a maximum of $72 for lost time at $18/hour, capped at four hours. The federal minimum wage is $7.25/hour, but many of the people in this class earn near or at minimum wage. The settlement’s implicit assumption that four hours covers the full economic cost of responding to a breach of Social Security numbers and health records drastically undervalues the real labor involved.
• The compensable expense list includes “costs incurred to place or remove a credit freeze,” which costs nothing at most bureaus but can require multiple phone calls and hours of documentation. The settlement is compensating people for navigating a bureaucratic burden created by Globe Life’s failure.
• The settlement’s $3.4 million cash cap means approximately $6.38 per person if every class member filed a valid claim. Globe Life’s 2024 annual revenue was in the billions. The settlement amounts to a rounding error on their financial statements.
• The attorneys’ fee request of $1,260,000 represents approximately 37% of the total $3.4 million cash settlement pool. Class members’ lawyers are positioned to collect over one-third of the available funds before a single victim sees a dollar.
• People who do nothing in the settlement process still lose their right to sue, but receive no cash payment. They do receive credit monitoring, but only if they activate a code from a postcard that must first survive their mailbox, be retained, and then be used on a website after final court approval. People with limited internet access, unstable housing, or low digital literacy are structurally disadvantaged in accessing even this baseline benefit.

The Math That Should Make You Angry

The Corporate Web Behind the Breach

Multiple entities are connected in this case. Understanding who owns whom, who was sued, and who pays explains how corporate structures can diffuse accountability.

Your Options, Your Rights, Your Next Move

The settlement is not final. A court still has to approve it. Here is what you can actually do.

If You Were Notified by Globe Life or AIL

• File a claim. Submit a Claim Form online at the settlement website (address to be listed on your postcard) or by mail to Kroll Settlement Administration LLC. The deadline is 60 days from the Notice Date. Check your postcard for the specific date. You can claim Cash Payment A for documented losses up to $5,000 and/or Cash Payment B for up to four hours of lost time at $18/hour.
• Activate your credit monitoring immediately. Your postcard contains a unique code for two years of Cyex Financial Shield Complete. This is yours regardless of whether you file a cash claim. Activate it as soon as the court grants final approval. Instructions will be on the settlement website.
• Consider opting out if you have serious damages. If you have already experienced identity theft, fraudulent charges, or other significant financial harm traceable to this breach, opting out preserves your right to sue independently. The opt-out deadline is 30 days before the Final Approval Hearing. Mail a written opt-out request to Kroll Settlement Administration LLC before the deadline.
• Object to the settlement if you think it is inadequate. Any class member who does not opt out can file a written objection with the court by the Objection Deadline. Objections must be filed with the U.S. District Court for the Western District of Texas, Waco Division, and mailed to class counsel, defendants’ counsel, and the settlement administrator.
• Place a credit freeze at all three bureaus now. Do not wait for credit monitoring activation. Contact Equifax, Experian, and TransUnion directly to freeze your credit. This is free and immediate, and it prevents new accounts from being opened in your name.
• File an identity theft report if you have experienced fraud. The FTC’s IdentityTheft.gov creates an official report and a personalized recovery plan. This documentation can support a Cash Payment A claim and may be needed if fraud escalates.

Corporate Leadership on Record

• Defendants’ counsel of record: Jeffrey Hammer, Matthew Brigman, and Ed Fernandes of King & Spalding LLP.
• Globe Life Inc. is publicly traded on the NYSE under the ticker GL, headquartered in McKinney, Texas. Shareholders and institutional investors can file shareholder resolutions demanding improved data security practices and transparency.
• American Income Life Insurance Company is a subsidiary of Globe Life Inc., headquartered in Waco, Texas. State insurance regulators in Texas have jurisdiction over its operations and licensing.

Watchlist: Regulatory Bodies With Jurisdiction

• Federal Trade Commission (FTC): The FTC enforces data security standards for financial institutions and can take action against companies that fail to reasonably protect consumer data. File a complaint at FTC.gov/complaint.
• Securities and Exchange Commission (SEC): Globe Life is publicly traded and already filed an 8-K. The SEC’s cybersecurity disclosure rules require timely and accurate reporting of material breaches. Monitor whether Globe Life’s disclosures were complete and timely under SEC Rule 10b-5.
• Texas Department of Insurance (TDI): The primary state regulator for both Globe Life and AIL. TDI has authority to investigate whether AIL’s data security practices met state licensing requirements. File a complaint at TDI.texas.gov.
• Texas Attorney General’s Office: The Texas Identity Theft Enforcement and Protection Act requires timely breach notification. The AG can investigate whether the five-plus month notification delay violated state law. File a complaint at texasattorneygeneral.gov.
• Department of Labor (DOL): AIL sells supplemental health and accident coverage. If any affected policyholders had employer-sponsored plans subject to ERISA, the DOL’s Employee Benefits Security Administration has jurisdiction over data security obligations.
• Consumer Financial Protection Bureau (CFPB): The CFPB has authority over financial data privacy. If any of the breached data was used in connection with financial products, file a complaint at consumerfinance.gov/complaint.

Grassroots and Mutual Aid

• Connect with impacted neighbors. If you are a union member, your union may have resources for identity theft recovery and legal consultation. Many locals have emergency funds or legal service plans that cover situations like this. Ask your steward.
• Share this article. Half a million people were sent a postcard with legal jargon and a short deadline. Many will not understand their rights or options. Translating the settlement’s terms into plain language for affected friends and family is direct action.
• Attend the Final Approval Hearing. It is a public proceeding in the United States District Court for the Western District of Texas, Waco Division. Any class member or member of the public can attend. Showing up matters.
• Support data privacy legislation. Contact your U.S. Senators and Representatives to demand a comprehensive federal data privacy law with real teeth, including mandatory timely notification, minimum security standards for insurance companies, and uncapped damages for breach victims.
• Document everything. If you experience any identity theft, fraud, or financial disruption you believe is linked to this breach, document it with dates, amounts, and records. Even if you accept the settlement, thorough documentation supports your claim form and creates a paper trail if future harms emerge.