Brown Advisory LLC Faces Data Breach Investigation Following January 2026 Security Incident

Law firms have opened investigations into potential class action claims against Baltimore-based investment manager Brown Advisory LLC following a January 2026 cybersecurity incident in which an unauthorized threat actor gained access to certain company systems. According to a notice filed with the Massachusetts Attorney General’s office on March 3, 2026, the breach affected at least 134 Massachusetts residents, with the total number of affected individuals across the country not yet publicly disclosed. No lawsuit has been filed in court as of the date of this article, and no settlement has been reached.

Quick Case Snapshot

• Subject of Investigation: Brown Advisory LLC
• Headquarters: 901 S Bond Street, Suite 400, Baltimore, Maryland 21231
• Incident Date Discovered: January 21, 2026
• State AG Notice Filed: Massachusetts — March 3, 2026
• Known Affected Individuals: At least 134 Massachusetts residents; national total not yet disclosed
• Investigating Law Firm: Shamis & Gentile P.A.
• Court Filed / Case Number: No complaint filed as of March 4, 2026
• Claims Under Investigation: Negligence, failure to safeguard personal information
• Defendant’s Response: Brown Advisory has issued a breach notification letter and is offering 24 months of complimentary Experian IdentityWorks credit monitoring to affected individuals
• Current Status: Pre-litigation investigation stage; no formal complaint filed

What Happened — Background and Timeline

On January 21, 2026, Brown Advisory discovered a security incident involving unauthorized access by a recognized threat actor to certain of its systems. Upon learning of the issue, the company promptly engaged leading cybersecurity experts and initiated an investigation into the matter. It also notified law enforcement.

Based on the investigation, there was no evidence the criminal actor had access to transactions, trading, or client investments. However, the investigation did determine that personal information stored on affected systems may have been viewed or accessed.

The breach affected at least 134 Massachusetts residents, according to the notice filed with the Massachusetts Attorney General’s office on March 3, 2026. The company began mailing notification letters to affected individuals in early March 2026, signed by Edward Chadwyck-Healey, Global COO of Brown Advisory’s Private Client, Endowments and Foundations Business.

What Information May Have Been Compromised

Depending on the affected individual’s interactions with the company, the incident may have impacted personal information such as names, phone numbers, email addresses, addresses, Social Security numbers, driver’s license images, passport images, and financial account numbers.

The range and sensitivity of the information involved — particularly Social Security numbers, government-issued ID images, and financial account numbers — is significant. For investment management clients, this combination of data types creates the potential for identity theft, unauthorized account access, and financial fraud if misused.

Related article: Higginbotham Insurance Agency Data Breach Affects 9,089 Texans SSNs and Financial Data Exposed

What the Investigation Alleges

Shamis & Gentile P.A., one of the nation’s premier class action law firms specializing in data breach cases, is investigating the Brown Advisory LLC data breach. If you were affected by the data breach, your sensitive personally identifiable information may have been exposed, and you may be eligible for compensation.

No formal complaint has been filed in any court as of March 4, 2026. Pre-litigation investigations of this type are a common first step in the class action process — attorneys gather information from potentially affected individuals, assess the viability of legal claims, and determine whether sufficient grounds exist to file a lawsuit. Potential legal theories in data breach cases of this nature typically include negligence, breach of implied contract, unjust enrichment, and invasion of privacy. These are allegations that would need to be proven in court; no court has yet made any finding against Brown Advisory.

Brown Advisory’s Response

In its official breach notification letter to affected individuals, Brown Advisory described the remediation steps it has taken. The company took numerous actions consistent with its forensic provider’s current recommendations to fully evict the threat actor from the environment, including resetting passwords and session tokens for the known compromised account.

Brown Advisory is offering 24 months of identity protection services and credit monitoring through Experian IdentityWorks at no charge to affected individuals. Affected individuals must enroll by June 30, 2026. The monitoring package includes an Experian credit report at signup, active credit file monitoring, access to Identity Restoration specialists, and up to $1 million in identity theft insurance coverage.

Brown Advisory has not issued a public denial of liability or addressed the law firm investigations through any verified public statement at the time of writing.

About Brown Advisory

Brown Advisory LLC is an independent investment management and strategic advisory firm headquartered in Baltimore, Maryland. Founded in 1993, the company serves individuals, families, institutions, nonprofits, and financial intermediaries across all 50 states and more than 44 countries and territories. Brown Advisory is majority employee-owned, with about 1,000 colleagues worldwide, and is registered with the Securities and Exchange Commission as an investment adviser.

As a registered investment adviser with the SEC, Brown Advisory is subject to federal securities law obligations regarding disclosure and client data protection, as well as state-level data breach notification laws across all 50 states.

Legal Context — Why This Case Matters

Data breach litigation against financial advisory and investment management firms has grown substantially in recent years. The scale of data breach class actions continued its record growth in 2025, as companies faced copycat and follow-on lawsuits across multiple jurisdictions, with a virtual explosion in privacy class action litigation making compliance with privacy and data privacy laws a corporate imperative.

Investment advisers and wealth management firms present a particularly attractive target for threat actors because of the depth and financial sensitivity of the personal data they hold — often including tax records, Social Security numbers, passport information, and significant asset data. A breach at a firm managing assets for high-net-worth individuals, foundations, and institutions creates heightened risk exposure for affected clients.

Under most U.S. state breach notification laws, companies are required to notify affected individuals within a specific timeframe — ranging from 30 to 90 days depending on the state — after discovering a breach. Brown Advisory’s filing with the Massachusetts AG on March 3, 2026, suggests it completed its investigation approximately six weeks after discovering the incident on January 21, 2026. Whether that timeline satisfies notification requirements under applicable state laws may become a focus of any litigation that follows.

Current Status and What Happens Next

This matter remains at the pre-litigation investigation stage. No court complaint, class certification motion, or settlement has been filed or reached as of March 4, 2026. Here is the expected progression:

• Investigation phase (current) — Law firms are gathering information from potentially affected individuals and assessing whether viable legal claims exist.
• Complaint filing — If attorneys determine viable claims exist, they may file a formal complaint in federal or state court, likely in Maryland (where Brown Advisory is headquartered) or in jurisdictions with large numbers of affected individuals.
• Class certification motion — Plaintiffs would then seek to have the court certify the case as a class action on behalf of all affected individuals nationwide.
• Discovery — Both sides would exchange documents and information relevant to the alleged security failure, including Brown Advisory’s cybersecurity policies, vendor contracts, and incident response timeline.
• Settlement or trial — Most data breach class actions resolve through negotiated settlement rather than trial. The timeline from investigation to settlement typically spans 12 to 36 months.

Individuals who received a breach notification letter from Brown Advisory should enroll in the complimentary Experian IdentityWorks monitoring before the June 30, 2026 enrollment deadline, monitor their financial accounts and credit reports for unusual activity, and consider placing a fraud alert or security freeze with the three major credit bureaus (Equifax, Experian, and TransUnion) as a precaution.

Frequently Asked Questions

What data was compromised in the Brown Advisory breach? 

The information potentially involved includes names, phone numbers, email addresses, addresses, Social Security numbers, driver’s license images, passport images, and financial account numbers, depending on the affected individual’s interactions with the firm.

How many people were affected by the Brown Advisory breach?

 According to the notice filed with the Massachusetts Attorney General’s office on March 3, 2026, the breach affected at least 134 Massachusetts residents. The total number of individuals affected nationwide has not been publicly disclosed as of this article’s publication date.

Has a lawsuit been filed against Brown Advisory? 

No. As of March 4, 2026, no formal lawsuit has been filed in any court. Shamis & Gentile P.A. has publicly announced it is investigating potential class action claims on behalf of affected individuals, but the investigation has not yet resulted in a filed complaint.

What is Brown Advisory doing for affected individuals? 

Brown Advisory is offering complimentary 24-month Experian IdentityWorks membership to affected individuals, which includes credit monitoring, Identity Restoration support, and up to $1 million in identity theft insurance. Affected individuals must enroll by June 30, 2026.

What should I do if I received a breach notification from Brown Advisory? 

Enroll in the free Experian IdentityWorks monitoring before June 30, 2026 using the activation code in your notification letter. Review your bank and investment account statements closely. You may also consider placing a free fraud alert or credit freeze with the three major credit bureaus as an additional precaution.

Last Updated: March 4, 2026

This article is for informational purposes only and does not constitute legal advice. Allegations in an investigation or complaint are not findings of fact. All parties are presumed innocent unless and until proven otherwise in court.

About the Author

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah