On January 25 and 26, 2025, cybercriminals gained unauthorized access to Wilkes University’s network in Wilkes-Barre, Pennsylvania, compromising sensitive information of 27,632 current and former students and employees. The university discovered evidence of the intrusion on September 22, 2025, after an extensive forensic investigation and manual document review conducted with external cybersecurity professionals.
According to Wilkes, the exposed data varied by individual but could include names, addresses, dates of birth, Social Security numbers, driver’s license or state ID numbers, student IDs, financial account details, financial aid records, health insurance policy numbers, and medical alert information. On October 8, 2025, Wilkes began sending notification letters to impacted individuals and offered complimentary credit monitoring for those whose Social Security numbers were involved.
Soon after, on October 15 and October 16, 2025, plaintiffs Maria Grandinetti, Autumn Bullek, and Vincent Abbott filed a class-action lawsuit in the U.S. District Court for the Middle District of Pennsylvania (Case Nos 3:2025-cv-01941 and 3:2025-cv-01948).
The lawsuit, filed on behalf of all affected individuals, alleges negligence, breach of implied contract, and unjust enrichment, and seeks over $5 million in damages. The plaintiffs argue that Wilkes delayed notifying victims and failed to adequately safeguard private information, leaving them ‘in the dark’ about where their data ended up and how it might be used.
According to the notice of security incident, Wilkes stated they “commenced a prompt and thorough investigation into the incident and worked very closely with external cybersecurity professionals experienced in handling these types of situations to help determine whether any personal or sensitive data, if any, was involved.”
They added, “After an extensive forensic investigation and manual document review, we discovered on September 22, 2025, that the impacted systems, which were accessed between or about January 25, 2025, and on or about January 26, 2025, contained some individuals’ personal information.”
The complaint alleges that the University’s data breach-related conduct, specifically the January 25-26, 2025 intrusion and the delayed notification to affected individuals, constituted causes of action including negligence, breach of implied contract, and unjust enrichment, seeking damages in excess of $5 million.
Law-firm notices (like Markovits, Stock & DeMarco, LLC) indicate that the breach affected approximately 27,632 individuals. As of now, the case is in its early pleadings stage, Wilkes University has been served, and the plaintiffs’ firms are gathering class-action claims, but no public settlement or court judgment has yet been reported.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
A class action is a legal case filed by one or more plaintiffs on behalf of a larger group of people who suffered similar harm. In data breach cases, this typically means all individuals whose personal information was exposed due to a company’s or institution’s negligence.
Anyone whose data or rights were affected by the same incident may qualify as a class member. In the Wilkes University case, that includes the 27,632 students and employees whose personal information was accessed during the January 2025 cyberattack.
Class actions often take months to years to resolve, depending on how complex the case is. Courts must approve the class certification, and defendants may try to dismiss or settle before trial.