Thousands of individuals who provided sensitive information to a mortgage lender are now facing ongoing risks of identity theft after their personal and health data was stolen by hackers in a 2025 cyberattack. The incident, which allegedly exposed names, Social Security numbers, financial account details, and limited medical information, has led to a class action lawsuit demanding accountability and changes in data security practices.
On March 23, 2026, Richard Bernich filed a class action complaint in the United States District Court for the Eastern District of New York against US Mortgage Corporation. The complaint alleges that the New York-based direct mortgage lender failed to properly secure personally identifiable information (PII) and protected health information (PHI) belonging to customers and employees.
According to the filing, between May 13 and May 14, 2025, cybercriminals gained unauthorized access to portions of US Mortgage Corporation’s computer network. The attackers stole unencrypted private information stored on those systems. The compromised data included names, birthdates, contact details, government identification numbers such as Social Security numbers, financial account details including mortgage account information, and limited medical records.
The complaint outlines that individuals seeking or receiving services or employment from US Mortgage Corporation were required to provide this sensitive information as a condition of doing business with the company. Plaintiffs argue that they reasonably expected their confidential data would be kept secure based on explicit promises made by the company in its privacy policy: “All of our employees are familiar with our security policy and practices... Sensitive information, such as credit card numbers or social security numbers, is protected by encryption protocols.”
However, the lawsuit alleges that these assurances were not upheld. It claims that US Mortgage Corporation failed to use industry-standard safeguards such as encryption both in transit and at rest; did not implement multifactor authentication; lacked adequate monitoring systems; and did not detect or disclose the breach until more than nine months after it occurred. The plaintiff points out that under New York law (N.Y. Gen. Bus. Law § 899-aa(2)), notification should have been issued within thirty days of discovering the breach but was delayed by over 260 days.
The complaint further asserts that financial institutions like US Mortgage Corporation have contractual, statutory, common law duties—and obligations under federal laws such as the Gramm-Leach-Bliley Act—to protect consumer data from unauthorized disclosure. Despite widespread knowledge about increasing cyberattacks targeting financial firms—highlighted by recent breaches at other companies—the defendant allegedly failed to take reasonable steps recommended by federal agencies like the Federal Trade Commission (FTC), National Institute of Standards and Technology (NIST), and Cybersecurity & Infrastructure Security Agency (CISA).
Plaintiffs describe various harms suffered as a result of the breach: “financial costs incurred mitigating the materialized risk... actual identity theft and fraud... deprivation of value of their Private Information; loss of privacy; emotional distress including anxiety and stress.” They also note that victims must now devote significant time monitoring accounts for fraudulent activity due to heightened risks posed by their stolen data being sold on dark web marketplaces.
The legal claims brought forward include negligence/negligence per se for failing to safeguard private information; breach of implied contract based on representations made regarding data protection; unjust enrichment for deriving economic benefit from collecting sensitive data without adequate security; as well as violations related to delayed notification under state law.
Plaintiffs seek damages for injuries already suffered—including costs related to identity theft prevention—and request injunctive relief requiring US Mortgage Corporation to implement stronger cybersecurity measures going forward.
The case identifies Richard Bernich as plaintiff representing all others similarly situated but does not list attorney names in this excerpt. The case number is 2:26-cv-01713.
Source: 226cv01713_Bernich_v_US_Mortgage_Corporation_Complaint_Eastern_District_New_York.pdf