The American Armed Forces Mutual Aid Association (AAFMAA) faces a proposed class action in the wake of a large-scale data breach that reportedly affected tens of thousands of United States Military veterans.
The 45-page lawsuit alleges that although AAFMAA became aware of “suspicious activity” on its computer systems on January 29, 2021, the Virginia-based non-profit mutual aid group did not inform those whose information was compromised until March 5.
According to the complaint, AAFMAA is responsible for the data breach in that it failed to implement and maintain “any reasonable safeguards” for the litany of personally identifiable information, including health details, it collects from veterans who purchase the organization’s life insurance policies, mortgage and financial planning services or other offerings. Further, AAFMAA failed to comply with industry-standard data security practices, contrasting the representations made by the organization in its privacy statements, the suit alleges.
The plaintiff, a disabled United States Army veteran who purchased life insurance through AAFMAA, asserts that the defendant’s data breach notice revealed that his name and Social Security number were exposed in the data breach but stopped short of disclosing that “additional treasure troves” of personal information were stored on the defendant’s servers. As a result, the plaintiff “cannot be sure” that even more of his sensitive information, possibly including his email address, driver’s license data and credit card specifics, was not exposed to the “unauthorized actor” responsible for the early 2021 breach, the suit contends.
According to the case, the plaintiff has spent approximately 21 hours monitoring for any instances of financial fraud or identity theft, in part because the man “suffers from certain cognitive issues arising from his service-related disability.” The suit says the plaintiff, among other damages, experienced “significant emotional distress,” including heightened anxiety and depression, upon learning of the breach. Compounding matters for the plaintiff was the fact that AAFMAA also possessed information on the man’s minor child, the case says, noting the defendant, to date, has not disclosed whether the child’s data was among what was compromised in the incident.
The complaint alleges AAFMAA was aware of its status as a “prime target” for hackers given the amount of sensitive information it collects and stores. Per the suit, the defendant acknowledged the risk of data breach to its members in a September 2017 blog post.
According to the lawsuit, at least 161,621 individuals were affected by the January 2021 AAFMAA data breach.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.