Two major law firms, Lynch Carpenter LLP and Federman & Sherwood, have launched investigations and potential class action lawsuits against Payactiv, Inc. following its 2025 data breach.
The lawsuits focus on allegations that Payactiv failed to adequately safeguard the personal information of more than 100,000 individuals, including names and Social Security numbers. Lynch Carpenter began investigating claims soon after Payactiv mailed notification letters to affected customers in late September 2025, inviting individuals to join potential litigation for compensation.
Similarly, Federman & Sherwood announced on October 20, 2025, that it was investigating whether Payactiv violated data protection laws and industry security standards by allowing unauthorized access to its systems between April and August 2025. Both firms are gathering claims to determine the full scope of damages and whether Payactiv’s cybersecurity measures met reasonable standards under consumer protection and privacy laws.
The Payactiv data breach occurred after the company detected suspicious network activity that turned out to be an unauthorized intrusion into its internal systems. On August 19, 2025, Payactiv identified signs of unusual behavior within its network and promptly initiated an investigation with the help of third-party cybersecurity experts.
Investigators determined that the unauthorized actor had accessed data between April 3 and August 20, 2025, viewing and potentially exfiltrating files containing personal information such as names and Social Security numbers. The breach was confirmed on September 12, 2025, when Payactiv verified that sensitive data had indeed been compromised. According to filings with the Maine Attorney General, at least 118 individuals in Maine were affected, but the total number nationwide likely exceeded 100,000 people.
The attack appears to have exploited vulnerabilities within Payactiv’s network environment rather than a phishing or email compromise, suggesting a direct system intrusion. Once the breach was discovered, Payactiv notified law enforcement, began strengthening its cybersecurity infrastructure, and offered one year of free credit monitoring and identity theft protection through Epiq Privacy Solutions ID to mitigate harm to affected individuals.
According to Federman & Sherwood, “Payactiv stated that it has taken steps to enhance its security measures and prevent future incidents of this nature.
Federman & Sherwood is investigating this incident to determine the full scope of the breach, the adequacy of Payactiv’s data security measures, and the potential risks faced by affected individuals.”
Courts increasingly hold organizations financially accountable when their data security does not measure up. A recent example is Akumin Operating Corp., a healthcare imaging provider that agreed to a $1.5 million settlement after a ransomware attack on October 11, 2023, exposed sensitive patient information.
Although Akumin denied wrongdoing, the settlement provided compensation of up to $2,500 for documented fraud-related losses and one year of medical data monitoring to affected individuals. The Payactiv investigations are following a similar path. Like Akumin, Payactiv faces accusations that it failed to sufficiently safeguard personal data against known cybersecurity threats.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
A data breach happens when sensitive or confidential information, like names, Social Security numbers, financial details, or medical data, is accessed, stolen, or shared without authorization. Breaches can occur due to hacking, phishing, malware, or even employee mistakes.
Covered entities must report breaches that involve PHI. If a business associate causes or discovers a breach, they must immediately notify the covered entity, which then handles official reporting to the U.S. Department of Health and Human Services (HHS) and affected individuals.
HIPAA requires that affected individuals be notified without unreasonable delay and no later than 60 days after the breach is discovered. Breaches affecting more than 500 individuals must also be reported to HHS and the media within the same 60-day window. Smaller breaches can be logged and reported annually.