Cyber Incident Victim: Blank Rome LLP
Date:
May 2026
Location:
United States of America
Summary
BlankRome LLP was hit with a proposed class action alleging it negligently failed to protect the personal information of more than 57,000 current and former clients in a data incident. The complaint says the breach exposed names, Social Security numbers, physical and email addresses, phone numbers, dates of birth, taxpayer identification numbers, driver’s license numbers, state ID card numbers, passport numbers, financial-account numbers, payment card information, medical information, and health insurance information. Plaintiffs claim injuries including invasion of privacy, lost time and money responding to the breach, emotional distress, increased spam, reduced value of personal information, and heightened risk of fraud and identity theft. The suit brings claims of negligence, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence, and violations of California consumer‑privacy statutes, seeking compensatory, punitive and statutory damages, restitution, injunctive relief, attorneys’ fees and interest.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
BlankRome LLP experienced a data incident in May that exposed the personal information of more than 57,000 current and former clients, according to a proposed class action complaint filed on July 6, 2026, in the United States District Court for the Eastern District of Pennsylvania. The complaint alleges that the firm negligently failed to protect sensitive data, violating duties under common law, contract law, industry standards, the Federal Trade Commission Act, and the Health Insurance Portability and Accountability Act by not implementing reasonable and adequate security measures or providing timely notice of the breach. Lead plaintiff Laura Delapaz contends that the compromised information included names, Social Security numbers, physical and email addresses, phone numbers, dates of birth, taxpayer identification numbers, driver’s license numbers, state ID card numbers, passport numbers, financial-account numbers, payment card details, medical information, and health insurance data. The alleged harms suffered by the plaintiff and putative class members consist of invasion of privacy, lost time and money spent responding to the breach, emotional distress, increased spam communications, diminished value of personal information, and heightened risk of fraud and identity theft.

Delapaz seeks to represent a nationwide class of individuals whose private data was compromised in the May incident and brings claims for negligence, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence, and violations of the California Unfair Competition Law, the California Consumer Privacy Act, and the California Customer Records Act. The plaintiff requests compensatory, punitive, and statutory damages, restitution, equitable and injunctive relief, attorneys’ fees and costs, and pre‑ and post‑judgment interest. The case is being handled by Strauss Borrelli PLLC and is docketed as Delapaz v. Blank Rome LLP, No. 2:26‑cv‑04655. Blank Rome, described as an Am Law 100 firm with approximately 800 attorneys across 16 offices in the United States and abroad, did not immediately respond to a request for comment regarding the litigation. The complaint notes that other law firms, including Wiley Rein LLP, Fried, Frank, Harris, Shriver & Jacobson LLP, and Pillsbury Winthrop Shaw Pittman LLP, have faced similar lawsuits over data breaches. No further details about the breach’s discovery, containment, or remediation are provided in the source material.
