Cyber Incident Victim: Barton Gilman

In September 2024, the computer network of Barton Gilman, a regional law firm with offices in Providence and Boston, was breached, resulting in the theft of personal information. The incident remained undetected by the firm for approximately one year, a delay that legal experts have identified as a critical failure in the firm's security protocols. The breach was not disclosed to affected individuals until December 23, 2025, when plaintiff Allison Hellested of Swansea received formal notice. This notification came after the firm had reported the incident to authorities in Massachusetts and Vermont in the same month, December 2025, as required by state breach notification laws. The firm's delayed detection and subsequent year-long gap before informing individuals form the central allegations in the ensuing legal action, with the plaintiff arguing this timeline significantly exacerbated potential harm to victims.

The data breach impacted a total of 3,375 residents across multiple states, exposing their personal information. In response to the discovery, Barton Gilman offered credit monitoring services to affected individuals, a measure the plaintiff's lawsuit contends is insufficient given the circumstances. Following the notification, Allison Hellested filed a putative class action lawsuit against the firm in the U.S. District Court in Rhode Island. The complaint asserts multiple legal claims, including negligence for failing to implement adequate data security measures, breach of implied contract for not safeguarding client information, and unjust enrichment for retaining benefits while providing inadequate protection. The case highlights the legal and reputational consequences for organizations, particularly law firms, that handle sensitive data and face scrutiny over their cybersecurity practices and breach response timelines. The litigation is ongoing, seeking damages and restitution for the class of individuals whose information was compromised.