Margaritaville at Sea Data Breach, Customers’ Personal and Medical Info PII and PHI Exposed by Ransomware Attack 

ByAll About Lawyer Reading Time: 14 minutes

A class action lawsuit filed in December 2025 alleges Margaritaville at Sea (Classica Cruise Operator Ltd.) failed to protect customer data from a September 23, 2025 ransomware attack by the cybercriminal group Lynx that exposed names, Social Security numbers, passport details, addresses, dates of birth, financial information, and health data. Plaintiff Danielle Seaberg claims the cruise line failed to implement adequate cybersecurity measures, leaving customers vulnerable to identity theft and fraud.

This affects you if you were a Margaritaville at Sea customer or booked a cruise with the company anytime in 2025, particularly if you received a data breach notification letter. Understanding what information was compromised could help you protect yourself from identity theft, medical fraud, and financial scams that can persist for years after a breach.

What the Lawsuit Against Margaritaville at Sea Alleges

The Ransomware Attack Details

The lawsuit, filed as Seaberg v. Classica Cruise Operator Ltd. Inc., Case No. 6:25-cv-02072, in the U.S. District Court for the Middle District of Florida, centers on a September 23, 2025 cyberattack perpetrated by ransomware group Lynx. The complaint alleges Margaritaville at Sea failed to properly secure systems containing highly sensitive customer information.

Lynx is a rebrand of the INC ransomware group, which abuses remote management tools to deploy encryption payloads and extort victims. These attackers use “double extortion” tactics—they encrypt company data to disrupt operations while simultaneously stealing information to threaten public release or sale on the dark web if ransom demands aren’t met.

According to the complaint, the cybercriminals managed to extract names, dates of birth, addresses, passport details, financial information, Social Security numbers, health data and other personal information belonging to the defendant’s cruise customers. The attackers exploited weaknesses in Margaritaville at Sea’s cybersecurity infrastructure, gaining unauthorized access to customer databases.

What Margaritaville at Sea Allegedly Did Wrong

Plaintiff Danielle Seaberg claims the cruise line failed to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect the private information of its customers. The lawsuit argues that despite having the resources to prevent the breach, Margaritaville at Sea nevertheless allowed it to occur through inadequate security measures.

The 58-page complaint alleges the company should have known customer data was a valuable target for cyberattacks, especially given the dramatic increase in corporate data breaches from 2023 to 2024. The filing points to a 211-percent increase in corporate data breaches during that period as evidence that companies handling sensitive customer information must prioritize cybersecurity.

Current Status of the Lawsuit

As of January 2026, the lawsuit remains in its earliest stages. The court has not yet ruled on any motions or certified the class. Margaritaville at Sea has not publicly responded to the allegations.

Seaberg filed the case seeking to represent a nationwide class of individuals affected by the September 23, 2025 breach. The plaintiff claims Margaritaville at Sea is guilty of negligence and negligence per se, breach of implied contract and unjust enrichment.

What Data Was Exposed and Why It Matters

Understanding PII—Personally Identifiable Information

PII refers to any information that can identify you as a specific individual. The Margaritaville breach allegedly exposed multiple types of PII, including names, addresses, dates of birth, passport numbers, Social Security numbers, and financial information.

Social Security numbers are particularly dangerous when exposed because they’re permanent—you can’t change them like passwords. Criminals use stolen SSNs to open fraudulent credit accounts, apply for loans in your name, file fake tax returns, or commit other forms of identity theft. Your SSN combined with your date of birth and address gives fraudsters everything needed to impersonate you.

Passport details create additional risks for international travelers. Criminals can use this information to forge travel documents or commit international fraud schemes. When combined with other personal data, passport information becomes even more valuable on the dark web.

Margaritaville at Sea Data Breach, Customers' Personal and Medical Info PII and PHI Exposed by Ransomware Attack 

Understanding PHI—Protected Health Information

PHI refers to health-related information that can identify you. This includes medical records, health conditions, medications, insurance information, vaccination records, health screening results, and medical history.

Cruise lines collect health information because passengers must disclose medical conditions, disabilities, dietary restrictions, medications, emergency contacts, and sometimes vaccination records. This data becomes PHI when it’s personally identifiable and stored by the company.

The exposure of PHI is especially serious because it creates risks beyond typical identity theft. Medical identity theft occurs when criminals use your health insurance information to obtain medical services, prescriptions, or file fraudulent insurance claims. These crimes can corrupt your medical records with incorrect information about conditions, treatments, or medications you never received—potentially affecting your future medical care.

PHI breaches may also trigger HIPAA violations depending on whether Margaritaville at Sea qualifies as a covered entity under federal health privacy laws. Even if HIPAA doesn’t directly apply, state health privacy laws may impose similar obligations.

The Risks You Face After This Breach

The complaint alleges that victims face heightened risk of identity theft and fraud, as well as time and money lost discovering and mitigating the effects; loss of control over the use of their private information, including unauthorized use of any stolen information; and continued compromise or publication of their private information online.

Because Lynx operates through double extortion, your data may already be posted on the dark web or sold to other criminals. This creates long-term vulnerability—your exposed information doesn’t expire. Criminals can use it months or years after the breach to commit fraud, especially if you don’t take protective action immediately.

Who Qualifies as Affected and What You Could Get

Determining If You’re a Potential Class Member

The lawsuit seeks to represent all U.S. residents affected by the September 23, 2025 Margaritaville at Sea data breach. You likely qualify if you booked a cruise, made reservations, or provided personal information to Margaritaville at Sea during 2025.

If you received a breach notification letter from Margaritaville at Sea or Classica Cruise Operator, you’re definitely affected. However, companies don’t always identify all victims immediately, so you might be affected even without receiving notice yet.

You don’t need to prove you’ve suffered identity theft or financial harm to be part of the class—simply having your data exposed in the breach is enough. You also don’t need to have actually sailed on a Margaritaville cruise; if you booked a reservation that was later canceled or simply inquired about cruises and provided information, you could still qualify.

What Compensation Might Be Available

The lawsuit demands actual, compensatory, statutory, and nominal damages for all class members. While no settlement has been reached, similar data breach cases provide context for potential compensation.

Recent cruise line settlements offer comparison points. The 2019 Carnival Cruise Line data breach affecting 180,000 employees and customers resulted in a $1.25 million multistate settlement—though that money went primarily to state attorneys general, not individual victims. Individual compensation typically depends on whether you can document specific losses or simply claim general exposure.

Based on similar 2025 data breach settlements, class members who can’t document specific harm might receive $20-$100 per person as a baseline payment. Those who can document actual losses—like credit monitoring costs, identity theft recovery expenses, or fraudulent charges—could potentially recover several thousand dollars.

The severity of this breach—exposing both PII and PHI together—may result in higher compensation than breaches exposing only basic contact information. Courts recognize that combined exposure of Social Security numbers, health data, and financial information creates particularly serious risks.

How Data Breach Class Actions Work

Unlike some class actions requiring you to affirmatively join, data breach cases typically include you automatically if you meet the class definition. However, you’ll need to respond to official class notices once the court certifies the class.

If the case settles, you’ll receive detailed instructions about filing a claim form, providing documentation of losses, or accepting the baseline payment option. The settlement will also explain your right to opt out and file your own individual lawsuit, though this rarely makes financial sense unless you suffered extraordinary documented losses.

Your Rights After a Data Breach

What Companies Must Do When Breaches Occur

Federal and state laws require companies to notify affected individuals after data breaches. While specific requirements vary by state, most laws mandate notification within 30-60 days of discovering a breach.

Companies must disclose what information was compromised, when the breach occurred, what steps they’re taking to address it, and what resources they’re offering to affected individuals. Many companies offer free credit monitoring services—Margaritaville at Sea has not publicly announced such an offering yet, but may be required to provide it as part of any settlement.

If PHI was exposed, HIPAA regulations impose additional requirements on covered entities. They must notify the Department of Health and Human Services within 60 days and, if more than 500 state residents are affected, notify major local media outlets.

Why Cruise Lines Handle Sensitive Medical Information

You might wonder why a cruise line has your health information. Cruise companies collect extensive medical data because they need to prepare for potential health emergencies at sea, accommodate disabilities, provide appropriate medical care onboard, ensure food service staff know about dietary restrictions and allergies, and verify vaccination requirements for certain destinations.

This makes cruise lines attractive targets for cybercriminals—they store a complete profile of your personal, financial, and health information all in one place.

Your Legal Recourse Beyond the Class Action

Beyond participating in the class action, you have other options. If you’ve already suffered measurable identity theft or financial fraud traceable to this breach, you could potentially file an individual lawsuit seeking higher damages. Most consumer attorneys work on contingency, meaning you pay nothing unless you win.

You can also file complaints with the Federal Trade Commission at IdentityTheft.gov and your state Attorney General’s consumer protection division. These reports create official records of the breach’s impact and help regulators investigate potential law violations.

Common Mistakes That Hurt Your Protection

Not Taking Breach Notifications Seriously

Many consumers ignore breach notification letters, assuming they’ll deal with problems if they arise. This is dangerous because early action prevents fraud more effectively than trying to fix it afterward.

Criminals often wait months before using stolen data, hoping you’ll let your guard down. By the time fraudulent accounts appear on your credit report, significant damage may already be done.

Failing to Monitor Credit and Accounts Closely

After a breach exposing Social Security numbers and financial information, you must monitor your credit reports religiously. Check all three credit bureaus—Equifax, Experian, and TransUnion—at least monthly. Look for unfamiliar accounts, inquiries you didn’t authorize, or addresses you don’t recognize.

Also scrutinize your bank and credit card statements weekly. Thieves often make small “test” charges before larger fraud. If you spot anything suspicious, report it immediately—waiting increases your liability for fraudulent charges.

Not Keeping Records

Save your breach notification letter, any correspondence from Margaritaville at Sea or class counsel, and documentation of all time spent addressing the breach. If you need to file claims for documented losses, these records become essential evidence.

Document every action you take—fraud alerts placed, credit freezes initiated, time spent on phone calls with banks or credit bureaus, and any expenses incurred. Even if you don’t initially plan to claim documented losses, circumstances may change if you later discover fraud.

What Happens Next in Data Breach Lawsuits

Typical Timeline for Class Actions

Data breach class actions follow a predictable path. First, Margaritaville at Sea will likely file a motion to dismiss, arguing the claims lack legal merit. This motion could take several months to resolve.

If the case survives dismissal, discovery begins—both sides exchange documents and evidence about the breach, the company’s security practices, and the harm to class members. This phase typically lasts 12-18 months and often includes expert witnesses analyzing cybersecurity standards.

Next comes class certification, where the court decides whether the case can proceed as a class action representing all affected customers. If certified, settlement negotiations often intensify because both sides face uncertainty at trial.

From filing to final resolution typically takes 2-4 years for data breach cases. Payment usually arrives 60-90 days after final court approval of any settlement.

What Settlement or Trial Means for You

If the parties reach a settlement, the court must approve it as fair, reasonable, and adequate. You’ll receive notice explaining the settlement terms, what you’ll receive, what you must do to participate, and deadlines for opting out or objecting.

Most class members accept settlements because the guaranteed payment outweighs the uncertainty of trial. However, if you’ve suffered catastrophic losses significantly exceeding the settlement offer, you might consider opting out to pursue individual litigation.

If the case goes to trial, a jury will determine whether Margaritaville at Sea is liable and, if so, what damages are appropriate. Trial outcomes are unpredictable—plaintiffs could win substantial verdicts or recover nothing.

If You Were a Margaritaville at Sea Customer

Verify Your Affected Status

Start by checking whether you received any communication from Margaritaville at Sea about a data breach. Companies often send notices by both mail and email, so check both.

If you booked a cruise in 2025 but haven’t received notification, contact Margaritaville at Sea directly to inquire about your status. Keep records of these communications.

Even without official notice, if you provided information to the company during 2025, assume you’re potentially affected and take protective action. Don’t wait for confirmation before protecting yourself.

Save All Evidence

Preserve any breach notification letters, emails from Margaritaville at Sea, or correspondence from class action attorneys. These documents prove you’re a class member and may be required when filing claims.

Don’t delete emails from class counsel—these contain important deadlines and instructions. Set up email filters to ensure these messages don’t go to spam.

If you’ve experienced any suspicious activity—unfamiliar credit inquiries, strange charges, or identity theft—document everything immediately. Take screenshots, keep statements, and file police reports if necessary.

Protecting Yourself After the Breach

Place Fraud Alerts and Credit Freezes

Contact all three credit bureaus immediately to place fraud alerts on your credit reports. Fraud alerts notify creditors they should verify your identity before opening new accounts in your name. These last one year and are free.

Consider going further with credit freezes, which completely block access to your credit reports. This prevents anyone, including you, from opening new credit accounts without first unfreezing your reports using a PIN. Freezes are free and more effective than fraud alerts but less convenient.

Monitor Credit Reports and Financial Accounts

Request free credit reports from all three bureaus at AnnualCreditReport.com. After a breach, you’re entitled to additional free reports beyond the standard annual report.

Set up credit monitoring alerts with each bureau to notify you of new accounts, inquiries, or changes to your credit report. Many credit card companies and banks offer free credit monitoring—enable these services if available.

Check your bank and credit card statements at least weekly. Don’t just review charges—look for small unfamiliar amounts that could be criminals testing whether the card works before making larger purchases.

Protect Your Medical Records and Insurance

If health data was exposed, monitor your medical records and insurance explanation of benefits statements for unfamiliar services, prescriptions, or providers you didn’t visit.

Contact your health insurance company to request copies of all claims filed in your name. Medical identity theft often goes undetected for months because people don’t regularly check these records.

If you discover fraudulent medical charges, file a complaint with your insurance company immediately and request correction of your medical records. Incorrect information in your medical history could affect future treatment or insurance coverage.

Be Alert for Phishing and Social Engineering

Criminals will use your exposed information to create convincing phishing emails and phone calls. They might reference your recent Margaritaville cruise, use your correct address or other personal details, and claim to be from your bank, credit card company, or government agencies.

Never click links in unexpected emails or provide information to unsolicited callers. If someone claims to be from your bank or other organization, hang up and call the official number from the company’s website—not any number the caller provides.

Monitoring the Lawsuit and Your Options

How to Stay Updated on the Case

You don’t need to “join” the class action—if you meet the class definition, you’re automatically included once the court certifies the class. However, you should monitor case developments.

Check the court docket through PACER (Public Access to Court Electronic Records) by searching for Case No. 6:25-cv-02072 in the Middle District of Florida. Major developments like class certification, settlement agreements, or trial dates will appear there.

Visit class action settlement tracking websites like ClassAction.org and TopClassActions.com. These sites publish updates when significant events occur in major consumer cases.

If the case settles, you’ll receive official notice by mail or email with detailed instructions. This notice will explain how to file claims, opt out, or object to the settlement terms.

Understanding Your Participation Options

Once the court certifies the class (if it does), you’ll have several choices. You can stay in the class and be bound by whatever settlement or judgment results—this is what most class members do because it’s effortless and guarantees some recovery.

You can opt out and preserve your right to sue Margaritaville at Sea independently. This only makes sense if you’ve suffered documented losses substantially exceeding what the class settlement offers and can afford to hire your own attorney.

You can also remain in the class but object to any proposed settlement you believe is unfair. The court will consider objections when deciding whether to approve the settlement.

Frequently Asked Questions

What is the Margaritaville at Sea data breach lawsuit about?

The lawsuit alleges Margaritaville at Sea failed to implement adequate cybersecurity measures, allowing the ransomware group Lynx to breach its systems on September 23, 2025. The breach exposed customer names, Social Security numbers, passport details, addresses, dates of birth, financial information, and health data.

What information was exposed in the Margaritaville breach?

The breach allegedly compromised both personally identifiable information (PII) including names, addresses, Social Security numbers, dates of birth, passport numbers, and financial data, and protected health information (PHI) such as medical records, health conditions, and insurance information that cruise passengers provided.

What is PII and PHI?

PII (personally identifiable information) is data that can identify you specifically, like your name, SSN, or address. PHI (protected health information) is health-related data tied to your identity, like medical records or insurance details. Combined exposure of both creates serious identity theft and medical fraud risks.

Am I part of the Margaritaville data breach lawsuit?

You’re likely a potential class member if you’re a U.S. resident who booked a cruise, made reservations, or provided personal information to Margaritaville at Sea during 2025. If you received a breach notification letter from the company, you’re definitely affected.

How much money can I get from the data breach lawsuit?

No settlement has been reached yet. Based on similar 2025 data breach settlements, class members without documented losses might receive $20-$100, while those who can prove specific expenses like identity theft costs or credit monitoring could potentially recover several thousand dollars.

What should I do if I was a Margaritaville customer?

Immediately place fraud alerts or credit freezes on your credit reports, monitor your accounts and credit reports closely, save your breach notification letter, document any suspicious activity, change passwords for any Margaritaville accounts, and watch for official class action notices.

Has Margaritaville at Sea settled the data breach lawsuit?

No. The lawsuit was filed in December 2025 and remains in its earliest stages as of January 2026. The court has not yet certified the class or ruled on any motions. Settlement negotiations, if they occur, typically happen later after class certification.

Last Updated: January 13, 2026 — We keep this current with the latest legal developments.

💡 Pro Tip: Place a credit freeze with all three credit bureaus immediately if your Social Security number was exposed. Unlike fraud alerts that last one year, credit freezes remain until you lift them and provide much stronger protection against new account fraud. You can unfreeze temporarily when you need to apply for credit, then refreeze afterward.

Disclaimer: This article provides information about the Margaritaville at Sea data breach lawsuit based on court filings and data breach laws. It is not legal advice. The outcome of data breach class actions varies, and AllAboutLawyer.com does not provide legal services or represent the class. If you have specific questions about your eligibility for the Margaritaville at Sea data breach lawsuit or need guidance about protecting yourself after PII and PHI exposure, consult a qualified <a href=”https://allaboutlawyer.com/nelnet-data-breach-class-action-lawsuit-10m-settlement-pays-up-to-5000-cash-file-your-claim-before-march-5-2026/”>data breach</a> or consumer rights attorney.

Take Action: Report identity theft at the FTC’s IdentityTheft.gov 

Stay informed, stay protected. — AllAboutLawyer.com

About the Author

Sarah Klein, JD

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah

Leave a Reply

Your email address will not be published. Required fields are marked *