Insurance Company Genworth Hit with Class Action Over Data Breach Affecting 2.7M

New to ClassAction.org? Read our Newswire Disclaimer

Genworth Financial, Inc. faces a proposed class action over a May 2023 data breach that reportedly exposed the personal information of more than 2.7 million individuals.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 31-page lawsuit says the insurance company announced on June 24, 2023 that it had been affected by a data breach that targeted MOVEit, a widely used file transfer platform.

According to a July 21 notice letter sent on Genworth’s behalf, Pension Benefit Information (PBI)—a third-party contractor the defendant partners with—uses MOVEit to transfer files. As a result, the personal information of Genworth policyholders and insurance agents was compromised when an unauthorized threat actor infiltrated PBI’s MOVEit transfer software between May 29 and 30 of this year, the suit explains.

Genworth relayed in an online announcement of the incident that the exposed information may have included customers’ full names, Social Security numbers, dates of birth, zip codes, states of residence, policy numbers and insurance product types. In addition, the data breach compromised Genworth agents’ full names, Social Security numbers, dates of birth and full addresses, the notice states. For deceased individuals, the cyberattack also exposed their cities and dates of death, along with the sources of that information, the post says.

The case argues that Genworth failed to implement reasonable cybersecurity practices to safeguard private data from unauthorized disclosure. According to the suit, the company had a duty to ensure that its business vendors—such as PBI and the MOVEit platform—had adequate procedures in place to protect the personal information it shared with them.

The complaint also takes issue with the defendant’s alleged failure to timely notify data breach victims. Although PBI purportedly informed Genworth about the incident on June 16, it “inexplicably waited over a week” before publishing the announcement on its website, the filing states.

What’s more, the plaintiff, a South Carolina resident, claims that few Genworth customers were even aware of the posted notice and only learned about the breach when they received notice letters from the defendant in July.

As the suit tells it, Genworth could have prevented the data breach in a number of ways.

“[S]ervices were available for [Genworth] to detect the data breach and prevent large scale exfiltration of [personally identifiable information] entrusted to [the defendant], but [Genworth] simply failed to appropriately implement these services,” the case charges. “Furthermore, it does not take cybersecurity expertise to know [the defendant] should not have maintained—or allowed the maintenance of—2.7 million consumers’ [personally identifiable information] on MOVEit software, where it was a sitting duck waiting for a cyberattack such as the data breach.”

The lawsuit looks to represent anyone in the United States whose private information was compromised as a result of the Genworth data breach.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.