Receivables Performance Management Hit with Class Action Over 2021 Data Breach Affecting 3.7 Million People

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action claims the failure of Receivables Performance Management (RPM) to properly secure the private information of approximately 3.7 million customers is to blame for a 2021 data breach.

The 21-page case alleges that the Washington-based debt collection company exposed the names, Social Security numbers and other personally identifying information of 3,766,573 individuals to unauthorized third parties from April 8 to May 21, 2021 by failing to implement reasonable cybersecurity measures.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

Per the complaint, RPM, the purported nationwide leader in accounts receivable management, discovered the data security incident on May 12 of last year but waited 18 months to begin notifying affected individuals in November 2022. The filing says that to date, RPM has provided victims with “vague and incomplete” reports concerning the nature of the compromised data and details surrounding the incident.

Receivables Performance Management reported that it has “obtained confirmation to the best of its ability that the information is no longer in the possession of the third party(ies) associated with this incident,” and offered one year of credit monitoring and identity theft services to affected individuals, the lawsuit relays. However, RPM’s remedial efforts are too little too late, the case argues, contending that victims are already at serious risk of fraud or identity theft, especially since the leaked information is highly valued and traded on the “cyber black market.”

The complaint contests that RPM should have known that it would be a target for malicious actors considering the substantial increase in data breaches in recent years, as well as widespread coverage and industry alerts of similar attacks. 

“Despite such knowledge, RPM failed to implement and maintain reasonable and appropriate data privacy and security measures to protect Plaintiff’s and Class members’ [personally identifiable information] from cyber-attacks,” the case reads.

The suit goes on to allege that RPM was out of line with regulatory and industry guidance regarding data security, contradicting its privacy policy promise that it “recognizes and respects the information/legislation set forth by Federal … and State guidelines pertaining to privacy matters regarding client, customer and other 3rd party information.”

The lawsuit looks to represent all individuals residing in the United States whose personally identifiable information was compromised in the data breach disclosed by Receivables Performance Management on or about November 21, 2022, including all U.S. residents who were sent a notice of the data breach.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.