Legacy Professionals Data Breach Exposes PII & PHI

On January 31, 2025, Legacy Professionals, LLP discovered a significant data breach impacting 216,752 individuals across the United States. The breach occurred on two separate days—April 25 and April 30, 2024—when unauthorized actors gained access to the company's computer network.

Legacy Professionals LLP, an accounting firm based in Westchester, IL, promptly took steps to secure its systems and launched an investigation with the assistance of cybersecurity specialists.

The investigation revealed that the breach involved ransomware, specifically the LockBit 3.0 ransomware variant. The cybercriminal group responsible, LockBit 3.0, claimed responsibility for the attack and announced on the dark web that they had published Legacy Professionals LLP's data on August 25, 2024. The stolen data included sensitive personal information of clients and other individuals associated with the firm.

‍

The types of consumer information exposed in this breach include:

• Full names of individuals
• Social Security numbers
• Driver’s license numbers
• Government-issued ID numbers (such as passports or state ID cards)
• Financial information (e.g., account numbers, credit or debit card numbers)
• Medical information
• Health insurance information

Legacy Professionals confirmed that the breach affected 4,939 individuals in Texas, 501 individuals in Massachusetts, and 60 individuals in Maine. The firm notified impacted consumers by written notice via U.S. Mail on February 27, 2025.

The breach was reported to multiple state attorney general offices, including California on March 4, 2025, Texas on March 4, 2025, Massachusetts on February 28, 2025, and Maine on March 1, 2025. Additionally, the breach was reported to the U.S. Department of Health and Human Services on February 28, 2025.

Legacy Professionals LLP's Response

Upon discovering the breach, Legacy Professionals LLP secured its network environment and began an extensive investigation into the incident. The company engaged a third-party cybersecurity specialist to determine the scope and impact of the breach. Legacy Professionals LLP also reported the incident to federal law enforcement authorities.

To support those affected, Legacy Professionals LLP is offering complimentary credit monitoring and identity theft protection services through IDX for a period of 24 months. Impacted individuals can enroll in these services by visiting the dedicated enrollment page provided by Legacy Professionals LLP. The enrollment deadline is May 27, 2025.

Individuals affected by this breach should remain vigilant and closely monitor their financial accounts and credit reports for any suspicious activity. Consumers are encouraged to enroll promptly in the free identity protection services provided, review their credit reports regularly, and consider placing fraud alerts or credit freezes on their credit files.

For additional details, impacted individuals can review the official data breach notification posted on the websites of:

• California Attorney General's data breach disclosure
• Texas Attorney General's data breach disclosure
• Massachusetts Attorney General's data breach disclosure
• Maine Attorney General's data breach disclosure
• U.S. Department of Health and Human Services data breach disclosure

About Legacy Professionals, LLP

Legacy Professionals LLP is a certified public accounting firm headquartered in Westchester, IL, with additional offices in Schererville, IN, and Edina, MN. Founded in 2003, the firm provides specialized audit, accounting, tax, and payroll compliance audit services to a variety of industries, including employee benefit plans, labor organizations, nonprofit entities, government entities, and small to medium-sized businesses.

The firm currently has 35 partners and principals and employs over 180 professionals who serve clients nationwide. Legacy Professionals LLP is recognized for its expertise in employee benefit plans and payroll compliance audits, often contributing as thought leaders at industry conferences.