Why data breach class actions are surging and how CISOs can respond

It did not take long for the lawsuits to roll in after Healthcare Services Group, Inc. (HSGI) disclosed in an August 27 notification letter regarding a data breach dating back to October 2024. The moment HSGI admitted to an “unauthorized” exfiltration of files affecting roughly 624,496 people, a wave of class-action filings crashed—not just one, but several, in quick succession.

In Akins v. Healthcare Services Group, the plaintiff seeks damages and injunctive relief, alleging that HSGI failed to implement reasonable safeguards and waited months to notify victims. In Chadwell v. Healthcare Services Group, a former employee highlights personal harm including increased spam calls and financial stress, arguing that HSGI’s delay directly worsened the impact. In Crews v. Healthcare Services Group, the complaint criticizes the company’s limited disclosure and demands lifetime credit monitoring, claiming the notice letters offered only a token response.

The surge in data breach lawsuits

Class actions as a growing legal industry

This phenomenon is not limited to HSGI. Data breach class-action litigation has become one of the fastest-growing legal markets in the U.S. In the first half of 2025, more than 1,700 breaches were reported, and law firms have leaned into breach litigation as a ready-made practice area. Lawyers are deploying digital ads and boilerplate filings within hours of a breach notice to lure in plaintiffs, the Wall Street Journal reported last week.

Acceleration of filings since 2022

The pace is accelerating. In 2024, 1,488 breach class actions were filed, nearly triple the number in 2022. Analysts describe this as a growing cottage industry, with lawyers explicitly building templates and campaigns to pounce on every breach quickly, according to WSJ.

What happened at Healthcare Services Group

Breach timeline and disclosure delays

HSGI, a provider of environmental, dining, and nutritional services to healthcare facilities, confirmed it detected “suspicious activity” on October 7, 2024. Hackers had accessed and copied files between September 27 and October 3, 2024. 

Sensitive data compromised

Sensitive data—including names, Social Security numbers, driver’s license or state ID numbers, financial account details, and credentials—was allegedly compromised. Around 624,000 individuals were notified, and HSGI offered 12 months of free credit monitoring. 

HSGI’s announcement can be read here.

Why lawsuits arrive so quickly

Copycat filings and early settlement strategies  

The speed of filings arises from both hardened plaintiffs’ strategies and the sheer volume of data breaches. This is one of the fastest-growing areas of litigation. Many filings are copycat suits, filed by multiple law firms competing to represent affected individuals, especially since early settlements can be lucrative for firms that act first.

The shrinking window for business response

The growing speed of breach litigation leaves businesses with little margin for error. Once a breach is disclosed, lawsuits can follow in days, if not hours. That reality makes it critical for executives and CISOs to shore up defenses before attackers ever get the chance to move sensitive data. Strong exfiltration controls are especially important, since preventing attackers from removing data can reduce not only the risk of legal fallout but also the long-term reputational harm that follows public disclosure.

How ThreatLocker helps CISOs stop data exfiltration

The three legal complaints against Healthcare Services Group point to the same underlying problem: Once attackers gain access, they can quietly move sensitive data out of the network. The ThreatLocker Zero Trust Endpoint Protection Platform is designed to prevent exfiltration before it begins.

• Application Allowlisting stops unapproved software, scripts, and libraries from running. Ransomware or unauthorized file-copying tools cannot execute, cutting off one of the main pathways for data theft.

• Ringfencing™ confines even approved applications so they can only access the files, registry keys, and network resources they truly need. For example, Microsoft Word cannot suddenly launch PowerShell to send files out of the environment.

• Storage Control enforces granular rules around how data is accessed, when, and by whom. It applies across local folders, USB devices, network shares, and cloud storage, blocking unauthorized attempts to move sensitive files off-system.

• Network Control gives CISOs the ability to restrict outbound traffic by port and source IP address, effectively shutting the door on rogue exfiltration attempts. Only authorized network connections are permitted, and everything else is invisible.

• Elevation Control ensures that elevated privileges are granted to applications, not users. That means attackers cannot escalate a compromised account into a super-user capable of mass data theft.

Together, these layers make exfiltration far harder.

ThreatLocker blocks unapproved processes by default, restricts legitimate apps to their intended use, and tightly governs both storage and network traffic. For CISOs, this translates to fewer breach headlines and fewer lawsuits waiting in the wings.  Schedule a demo today.

‍