Your Social Security Number Was Theirs For Eight Days

Premium Mortgage Corporation let hackers roam its systems for eight days. The data of 10,835 customers, including Social Security numbers and financial account details, was potentially stolen. Five months passed before anyone was told. Now the company wants you to accept $50 and walk away forever.

What They Took That Cannot Be Replaced

You trusted a mortgage company with the most sensitive documents of your financial life. Your Social Security number. Your bank account numbers. Your payment card information. You handed those over because you had no choice. That is how getting a mortgage works. You give a company intimate access to your financial identity, and you trust that they will protect it.

PMC failed. Hackers were inside their systems from August 24 through August 31, 2023. Eight days. While that attack was unfolding, the 10,835 customers who had entrusted PMC with their data had no idea. They went about their lives. They paid their bills, monitored their credit in the ordinary way people do, and assumed the company holding their most sensitive information was doing its job.

Then five months passed.

PMC notified customers “on or around January 10, 2024.” In the context of identity theft and fraud, five months is a geological age. Social Security numbers do not expire. They cannot be changed. A fraudster with your SSN, your full name, and your financial account numbers has everything needed to open credit lines in your name, file false tax returns, drain accounts, or sell your profile to other criminals. The damage from that kind of exposure can take years to surface. You might not find out your identity was used until you apply for a loan and discover someone else already took one out in your name. Or until the IRS tells you that someone else already filed a return under your number and collected your refund.

The settlement that PMC now wants you to sign offers you up to $50 if you cannot document your specific losses, or up to $325 if you can. These are not generous amounts. The average cost of resolving a single identity theft incident in the United States runs into hundreds of hours of time and can cost thousands of dollars in lost wages, legal fees, and unreimbursed fraudulent charges. And even those people who did suffer documented harm must prove it, submit third-party documentation under penalty of perjury, exhaust all insurance options first, and accept the Claims Administrator’s judgment as nearly final.

Underneath the dollar amounts is the deeper injury. You did not consent to having your private data exposed to criminals. You did not consent to spending hours on the phone with your bank, freezing your credit, monitoring your accounts with heightened anxiety, and wondering for months or years whether something bad is coming. The settlement agreement calls lost time “reimbursable” at $25 per hour, as if four hours of administrative panic is the full measure of what that exposure cost you. The law treats dignity as a line item. The settlement treats your peace of mind as something that can be resolved for the cost of a nice dinner.

And in exchange for that dinner, you must permanently release every legal claim you have, every claim you might discover later, and every claim you cannot yet imagine. The agreement explicitly waives California Civil Code § 1542 and its equivalents in every state. That statute exists specifically to protect people from unknowingly signing away rights to harms they have not yet discovered. PMC’s settlement requires you to waive it anyway.

This is what the law permits. It does not mean it is right.

What The Documents Actually Say

The settlement agreement filed in Monroe County on December 22, 2025 contains language that should be read carefully by every one of the 10,835 affected customers. These are verbatim excerpts from the court document.

“PMC was the target of a cyberattack that occurred from August 24, 2023 to August 31, 2023 (the ‘Data Incident’). The personally identifiable information or ‘PII’ of the Representative Plaintiffs and of 10,835 customers of PMC was potentially impacted by the Data Incident. The impacted information may include, but is not limited to, full names, Social Security numbers, payment card information, and financial account information.”

“PMC denies each and all of the claims and contentions alleged against it in the Litigation, denies any and all liability or wrongdoing of any kind, and denies all charges of wrongdoing or liability as alleged, or which could be alleged.”

“Released Claims shall collectively mean any and all past, present, and future rights, liabilities, actions, demands, damages, penalties, costs, attorneys’ fees, losses, remedies, claims, and causes of action including, but not limited to […] negligence; negligence per se; breach of contract; breach of implied contract; breach of fiduciary duty; breach of confidence; invasion of privacy; fraud; misrepresentation […] unjust enrichment; bailment; wantonness; failure to provide adequate notice pursuant to any breach notification statute or common law duty.”

“Settlement Class Members, including Plaintiffs, may hereafter discover facts in addition to, or different from, those that they, and any of them, now know or believe to be true with respect to the subject matter of the Released Claims, but Plaintiffs, expressly shall have, and each other Settlement Class Member shall be deemed to have, and by operation of the Judgment shall have, upon the Effective Date, fully, finally and forever settled and released any and all Released Claims, including but not limited to any Unknown Claims they may have.”

“PMC has adopted, paid for, implemented, and will maintain certain business practice changes related to information security to safeguard personal information on its systems. PMC will detail these business practice changes to Class Counsel in a confidential declaration.”

“Settlement Checks that are not negotiated within ninety (90) days of their date of issue shall not be reissued […] If a Participating Settlement Class Member fails to cash a Settlement Check issued under this Settlement Agreement before it becomes void, the Participating Settlement Class Member will have failed to meet a condition precedent to recovery of Settlement benefits, the Participating Settlement Class Member’s right to receive monetary relief under the Settlement shall be extinguished, and Defendant shall have no obligation to make payments to the Participating Settlement Class Member […] Such Settlement Class Members remain bound by all terms of the Settlement Agreement.”

Who Gets Hurt When Mortgage Companies Lose Your Data

Public Health: Financial Anxiety and the Harm of Sustained Exposure

The harm from a data breach involving Social Security numbers and financial account credentials is not limited to the moment of theft. It extends across years of uncertainty, administrative burden, and psychological strain.

• Social Security numbers cannot be changed once compromised. Affected individuals carry the risk of identity fraud for the remainder of their lives, requiring perpetual vigilance over credit reports, tax filings, and government benefit accounts.
• The five-month notification delay from August 2023 to January 2024 meant that for approximately 150 days, victims had no information that would allow them to take protective action. Any fraud or identity theft initiated during that window would have had a significant head start.
• The documented burden of resolving identity theft, including time spent calling banks, disputing fraudulent accounts, filing police reports, and communicating with the IRS, falls entirely on the victim. This labor is largely invisible in the settlement framework, which caps lost time reimbursement at four hours at $25 per hour, a maximum of $100, regardless of how many actual hours a victim spent.
• For low-income class members, the consequences of even minor identity fraud, such as an unauthorized bank withdrawal or a fraudulent credit inquiry, can cascade into missed rent payments, overdraft fees, and credit score damage that affects their ability to secure future housing or financing.
• Elderly class members are disproportionately targeted by identity fraudsters because they are more likely to have clean credit histories and less likely to catch suspicious activity quickly. PMC’s settlement offers no enhanced protections or extended monitoring for this population.

Economic Inequality: The Settlement Favors Those Who Can Document Their Losses

The structure of the settlement’s monetary relief creates a two-tier outcome: well-resourced victims who can document harm receive more; low-income victims who lack documentation are capped at $50.

• The $50 Alternative Cash Payment requires no documentation and no proof. It is the relief option designed for people who cannot produce receipts, bank statements, or third-party records. In a breach affecting mortgage customers, many of whom are already navigating financial stress, $50 is a token, particularly when surrendering every legal claim in exchange.
• Claiming ordinary out-of-pocket losses up to $325 requires “supporting third-party documentation” and attestation under penalty of perjury. Victims who paid cash for credit repair services, who lack organized financial records, or who experienced losses they cannot pin to a specific receipt are effectively excluded from this tier.
• The extraordinary loss category (up to $5,000) requires proof of unreimbursed loss from identity theft or fraud, causally linked to this specific breach, with documentation, under penalty of perjury, and only after exhausting all available insurance. The causal link requirement is particularly burdensome: proving that a specific fraud event was caused by this breach rather than any other data exposure the victim may have suffered is often practically impossible.
• Lost time is valued at $25 per hour, capped at four hours. This rate is below the federal minimum wage in some calculations of equivalent professional time and reflects none of the opportunity cost borne by hourly workers who must take time off work to address the aftermath of identity theft.
• Class members who change addresses, fail to receive their notice, or miss the 90-day check cashing window through no fault of their own lose all monetary relief while remaining bound by the full release of claims. This outcome disproportionately harms transient, unhoused, and low-income populations.
• PMC’s counsel can terminate the settlement entirely if more than 200 class members opt out. This pressure point discourages organized resistance from within the class. Any victim advocacy group that publicizes the opt-out option risks collapsing the only compensation available to the 10,000-plus class members who cannot afford to pursue individual litigation.

What PMC Calculated Your Data Was Worth

Your Options, Your Deadline, and Who To Pressure

The settlement is pending final court approval in the Supreme Court of New York, Monroe County. Every affected customer has a legally protected window to act before that approval locks in the terms permanently.

Current Leadership and Counsel of Record

• PMC’s Defense: Daniel M. Braude and Nicholas Pontzer, Mullen Coughlin LLC, Devon, PA.
• Class Counsel: Lynn A. Toops, Cohen & Malad, LLP, Indianapolis; Gary M. Klinger, Milberg Coleman Bryson Phillips Grossman, PLLC, Chicago.
• Claims Administrator: Angeion Group, 1650 Arch Street, Suite 2210, Philadelphia, PA 19103.
• Named Plaintiffs: Cory Rehmsmeyer and Toni Hyde, represented as class representatives for 10,835 customers.
• [REDACTED – Not in Source]: PMC corporate officers and board members are not identified in the settlement agreement.

Watchlist: Regulatory Bodies With Authority Over This Situation

• New York Department of Financial Services (NYDFS): Regulates mortgage companies operating in New York and enforces cybersecurity regulations under 23 NYCRR 500. PMC’s eight-day breach window and five-month notification delay may implicate NYDFS cybersecurity requirements. File a complaint at dfs.ny.gov.
• Federal Trade Commission (FTC): Enforces consumer protection standards and the Gramm-Leach-Bliley Safeguards Rule, which requires financial institutions like mortgage companies to maintain specific data security programs. Report at reportfraud.ftc.gov.
• Consumer Financial Protection Bureau (CFPB): Oversees mortgage companies and their data handling obligations under federal consumer financial law. Submit a complaint at consumerfinance.gov/complaint.
• New York Attorney General: Has enforcement authority under New York General Business Law § 349, the exact statute cited in the class action complaint. Contact via ag.ny.gov.
• Internal Revenue Service (IRS): If your Social Security number was used to file a fraudulent tax return, file Form 14039 (Identity Theft Affidavit) immediately. Do not wait for the settlement to close.

What You Can Do Right Now

• Freeze your credit at all three bureaus immediately: Equifax, Experian, and TransUnion. This is free under federal law and stops new accounts from being opened in your name without your consent. The settlement’s credit monitoring covers only one bureau; you need all three.
• File an IRS Identity Protection PIN request: If your Social Security number was exposed, the IRS offers an IP PIN that prevents anyone else from filing a tax return under your number. This is free and can be done at irs.gov/identity-theft-central.
• Read the opt-out deadline carefully when notice arrives: You have 60 days after the notice mailing date to opt out. If you opt out, you preserve your right to sue independently; you give up settlement compensation. Consult a consumer protection attorney before that deadline if you believe your losses exceed $5,000.
• Document everything now: Keep records of every hour spent dealing with the breach, every fraudulent charge, every credit freeze fee, and every related expense. If you later file a claim, documentation is required. Start today regardless of whether the settlement is approved.
• Connect with local tenant and consumer mutual aid organizations: Many cities have free or low-cost legal clinics operated through law school programs or legal aid societies that can help you evaluate whether opting out and filing an individual claim is worth pursuing in your specific situation.
• If you received a settlement notice, share this article with neighbors: 10,835 people were affected. Many of them are in Monroe County, New York, and surrounding areas. Organized awareness of the 200-person opt-out threshold, which would trigger PMC’s right to kill the deal, can shift the power dynamics inside a settlement class.
• Watch the settlement website and cash any check within 90 days: Mark the date your check arrives on your calendar in multiple places. Missing that 90-day window forfeits your compensation permanently while leaving your claim release intact.