A Lynnwood-based debt-collection company has been sued for compromising the names and Social Security information of more than 3.7 million individuals in a data breach in April 2021.
Multiple lawsuits filed in federal court in Washington this week claim the firm, Receivables Performance Management, failed to notify impacted individuals of the breach for more than 18 months.
RPM’s attorney Brian Middlebrook, a partner at New York-based law firm Gordon Rees Scully Mansukhani, said the company apologizes for the inconvenience the incident has caused. RPM conducted an investigation before notifying the affected individuals last month, Middlebrook said.
“There is no verified evidence that any personal information was published, shared or misused as a result of this incident,” Middlebrook said in an email.
According to one of the lawsuits filed by Seattle-based law firm Hagens Berman, just a month after RPM had a data breach the firm suffered a ransomware attack and files containing consumer data were accessible to hackers.
The ransomware “put millions of people at risk of identity theft and years of damaging fraud, financial loss and hardship,” said Tom Loeser, a Hagens Berman partner and former federal prosecutor in the Cyber and Intellectual Property Crimes Section of the U.S. Attorney’s Office in Los Angeles.
In one lawsuit, a woman argues she has already been a victim of fraud as a result of the breach. Two of her financial accounts were hacked. The funds she lost from one of the accounts were not refunded. The suit also claims someone requested her tax filings dating back to 2018 from the IRS.
Another class-action lawsuit claims small amounts of money were withdrawn from another individual’s bank account. The bank refunded those amounts, according to the suit.
Founded nearly two decades ago, RPM has collected debt for companies such as satellite TV company Dish and telecommunications giant T-Mobile. RPM’s website says the company is a national leader in the collections industry.
RPM has been sued at least 13 times in Western Washington District Court since 2015, including the four recently filed for the data breach. Two other lawsuits filed in 2021 and 2022 argue RPM engaged in unfair debt collections.
Millions of people nationwide and in Washington have had their data exposed as a result of data breaches. CommonSpirit Health, Virginia Mason Franciscan Health’s parent company, said Thursday patient data was leaked in a ransomware attack. It was unclear how many patients were impacted.
MCG Health, a company that uses data to help health care providers and insurers, was sued in July for allegedly compromising health data of nearly 1.1 million patients. The Washington State Department of Licensing had to shut down its online licensing system in January after learning of suspicious activity that could have exposed information of more than 250,000 individuals.