Beacon Mutual Insurance Data Breach Lawsuit, Did the January 2026 Ransomware Attack Expose Your Personal Information? DiMeo v. The Beacon Mutual Insurance Company and Malloy v. The Beacon Mutual Insurance Company

The Beacon Mutual Insurance Company began mailing letters to approximately 162,000 affected individuals on May 18, 2026, confirming that a ransomware attack between January 7 and January 14, 2026 had exposed sensitive personal information including Social Security numbers, driver’s license numbers, financial account numbers, health insurance information, and medical treatment information. Two class action lawsuits have already been filed — one in Rhode Island Superior Court on May 22, 2026, and a second in the U.S. District Court for the District of Rhode Island on May 25, 2026. No settlement has been reached. If you received a breach notice from Beacon Mutual or believe your information was exposed, here is what happened and what your options are right now.

Beacon Mutual Insurance Data Breach — Key Facts

Field	Detail
Breach Dates	January 7–14, 2026
Defendant	The Beacon Mutual Insurance Company
Alleged Harm	Failure to implement adequate cybersecurity; failure to encrypt sensitive data; delayed breach notification — more than four months after the attack was detected
Data Exposed	Names, Social Security numbers, driver’s license numbers, financial account numbers, health insurance information, medical treatment information
Total People Affected	Approximately 162,000 — including 131,207 in Rhode Island and 11,890 in Massachusetts
States Covered by Business	Rhode Island, Massachusetts, Connecticut
Ransomware Group	INC Ransom — claimed responsibility January 29, 2026; posted data on dark web
Data Claimed Stolen	275 GB of internal files
Notification Letters Sent	May 18, 2026 — more than four months after breach detected
Lawsuits Filed	DiMeo v. Beacon Mutual (R.I. Superior Court, May 22, 2026); Malloy v. Beacon Mutual (U.S. District Court, District of Rhode Island, May 25, 2026)
Laws Alleged	Negligence; negligence per se; unjust enrichment; breach of implied contract; breach of confidence; HIPAA privacy rules
Settlement Status	No settlement reached
Free Monitoring Offered	One year of identity monitoring through Experian IdentityWorks for those with SSNs or driver’s license numbers involved
Beacon Mutual Helpline	833-918-8448
Last Updated	May 28, 2026

Who Is Beacon Mutual Insurance and Why Are They Facing a Data Breach Lawsuit?

The Beacon Mutual Insurance Company is a mutual insurance company based in Warwick, Rhode Island, established in 1992. Beacon Mutual is the largest writer of workers’ compensation insurance in Rhode Island, providing coverage to businesses in Rhode Island, Massachusetts, and Connecticut.

Because Beacon Mutual handles workers’ compensation claims, the data it holds is especially sensitive. It includes not just policyholder contact information, but Social Security numbers, medical treatment records, health insurance details, and financial account numbers belonging to injured workers — people who filed claims after workplace injuries and trusted their insurer to protect that information. Beacon Mutual provides workers’ compensation insurance to Rhode Island state employees, and approximately 4,500 current and former state employees were among those affected.

What Happened in the Beacon Mutual Ransomware Attack — and When Did the Company Tell You?

According to Beacon Mutual’s website, the affected data was accessed between January 7 and January 14, 2026, and included files that contained the first name or first initial and last name along with one or more of: Social Security number, driver’s license number, financial account number, health insurance information, and/or medical treatment information.

Shortly after the intrusion, on January 31, 2026, a ransomware group known as INC RANSOM posted a claim on the dark web’s Tor network stating it had obtained 275 gigabytes of the company’s data. The group claimed the compromised data included internal corporate documents and correspondence, complete financial statements and reports spanning 2018 through 2025, a full employee list with personal details, and confidential agreements, NDAs, vendor contracts, and partnership documents.

Beacon Mutual conducted what it described as a comprehensive and time-intensive file review, and on April 16, 2026, determined that some of the extracted documents contained sensitive personal information belonging to customers and claimants. The company began mailing notification letters on May 18, 2026 — more than four months after the suspicious activity was first discovered.

That delay sits at the center of both lawsuits. The complaint in DiMeo v. Beacon Mutual states directly that “despite learning of the data breach on or about January 14, 2026, and determining that private information was involved in the breach, Beacon Mutual did not begin sending notices of the data breach until on or about May 18, 2026 — more than four months later.”

The lawsuit also specifies who was at risk: the breach involved “information that was entrusted to Beacon Mutual in connection with workers’ compensation insurance coverage, claims administration, and related services — including injured workers.”

INC Ransom has been observed to use the double extortion method — first encrypting files on a victim’s network and demanding payment to unlock them, then threatening to post the stolen data online if a second ransom is not paid. Beacon Mutual stated it is not in communication with INC Ransom.

To see how a similar benefits and insurance company data breach — exposing the same types of data — resulted in a class action settlement, see our coverage of how the Sequoia Benefits and Insurance data breach settlement compensated workers whose Social Security numbers and health insurance details were exposed by their benefits provider.

A separate section of the Malloy filing alleges Beacon violated HIPAA’s privacy rules by failing to safeguard electronic protected health information. The Malloy complaint says Beacon kept information unencrypted and failed to use reasonable security procedures matched to its sensitivity. To see how a comparable workers’ compensation-adjacent case — with similar data types including SSNs and health information — resulted in compensation for affected claimants, see how the Youth and Shelter Services data breach settlement compensated affected workers and claimants whose Social Security numbers were exposed.

If you received a Beacon Mutual breach notice letter in May 2026, or if you are a current or former workers’ compensation policyholder or claimant in Rhode Island, Massachusetts, or Connecticut, this case may directly affect you.

Related article: $665K Resident Home Deceptive Pricing Settlement, Check If You Qualify for a $30 Voucher, File Your Claim by July 10, Regina Molloy v. Resident Home, LLC, No. 25CU057416N

Are You Part of the Beacon Mutual Insurance Data Breach Class Action?

Here is exactly how to tell whether this lawsuit includes you.

You likely qualify if:

• You received a data breach notification letter from Beacon Mutual dated May 2026
• You are a current or former workers’ compensation policyholder at Beacon Mutual in Rhode Island, Massachusetts, or Connecticut
• You are a current or former claimant whose workers’ compensation claim was administered by Beacon Mutual
• You are a current or former Rhode Island state employee — approximately 4,500 state workers are among those affected
• Your personal information — including your Social Security number, driver’s license, financial account details, health insurance information, or medical treatment records — was stored in Beacon Mutual’s systems

You likely do NOT qualify if:

• You are a director, officer, or employee of Beacon Mutual in a capacity excluded from the class definition
• You are the judge assigned to either case
• You have no connection to Beacon Mutual as a policyholder, claimant, or employee

Beacon Mutual Policyholders Outside Rhode Island — Are You Still Covered?

The proposed class in the Malloy federal filing includes more than 100 members, and the amount in controversy exceeds $5 million. Beacon Mutual operates in Rhode Island, Massachusetts, and Connecticut. Both state and federal lawsuits are active. If you are a policyholder or claimant in Massachusetts or Connecticut who received a breach notice, you are likely included in the proposed nationwide class regardless of where you live today.

If you are unsure whether your specific situation qualifies for the Beacon Mutual data breach class action, a free consultation with a data privacy attorney can help you assess your options before the cases move further in court.

What Are Beacon Mutual Policyholders and Claimants Asking the Court to Award?

No money is available right now. No claim form exists. Both lawsuits are in active early litigation.

The Malloy complaint is asking for class certification, damages, statutory penalties to the extent available, restitution, attorneys’ fees, and a jury trial. The causes of action are negligence, negligence per se, unjust enrichment, breach of implied contract, and breach of confidence.

The DiMeo lawsuit seeks lifetime credit monitoring and damages for those impacted. Attorney Peter Wasylyk stated: “When companies collect and store sensitive personal information, they have a responsibility to safeguard it, and our complaint alleges that The Beacon Mutual Insurance Company failed to meet that obligation.”

What Could Beacon Mutual Data Breach Victims Receive If This Case Settles?

No settlement amount exists to report. If these cases consolidate and settle, recoveries in data breach cases of this type — involving Social Security numbers, medical data, and large affected populations — have ranged from flat cash payments of $50 to $100 for affected individuals without documented losses, up to $2,500 or more for those who suffered verifiable identity theft or fraud. The four-month notification delay and the HIPAA allegations in the Malloy complaint are factors that could influence settlement value. Speak with a data privacy attorney to understand what your individual situation may be worth.

What Should Beacon Mutual Policyholders and Claimants Do Right Now?

1. You are likely already included. Most affected policyholders and claimants are automatically part of the proposed class. You do not need to file anything today to preserve your place in the lawsuit.
   
2. Save your breach notification letter. The May 2026 letter from Beacon Mutual is your primary documentation that you were identified as an affected individual. Keep it — physical copy and a photo of it.
   
3. Check what data was exposed about you. Those receiving the May 18 letter were told that the company determined on April 16, 2026, “that one or more of those files contained your name, Social Security number, and health insurance subscriber identification number.” Your letter will specify which data types were involved.
   
4. Consider enrolling in Beacon Mutual’s free monitoring — but know it does not waive your legal rights. Beacon Mutual offered credit monitoring to everyone who has a Social Security number or driver’s license number involved. You can enroll in the one-year Experian IdentityWorks offer without giving up your right to participate in the class action or consult an attorney. Accepting free monitoring is not a waiver.
   
5. Place a fraud alert or credit freeze now. Given that INC Ransom posted 275 GB of stolen data publicly on the dark web in January 2026, your information has likely been circulating online for months. Contact all three credit bureaus — Equifax, Experian, and TransUnion — to place a fraud alert or credit freeze.
   
6. Call the Beacon Mutual helpline if you were not reached by mail. Beacon has set up a toll-free call center at 833-918-8448 for individuals who believe they may have been affected but were not reached by mail.
   
7. Monitor your accounts for identity fraud. The lawsuit warns that armed with the exposed data, thieves can commit a variety of crimes including opening new financial accounts and taking out loans. Monitor your bank statements, credit card accounts, and credit reports closely.

Beacon Mutual Data Breach Lawsuit Timeline

Milestone	Date
Unauthorized access to Beacon Mutual systems begins	January 7, 2026
Beacon Mutual detects suspicious activity and isolates systems	January 14, 2026
Beacon Mutual restores operations	January 20, 2026
INC Ransom claims responsibility on dark web — claims 275 GB of stolen data	January 29–31, 2026
Beacon Mutual publicly confirms ransomware attack following media inquiry	February 2026
Beacon Mutual completes file review — determines personal data was exposed	April 16, 2026
Beacon Mutual begins mailing breach notification letters to approximately 162,000 affected individuals	May 18, 2026
DiMeo v. The Beacon Mutual Insurance Company filed — Rhode Island Superior Court	May 22, 2026
Malloy v. The Beacon Mutual Insurance Company filed — U.S. District Court, District of Rhode Island	May 25, 2026
Next scheduled hearing	TBD — both cases in early litigation
Expected resolution	TBD — no settlement announced as of May 28, 2026

Beacon Mutual Insurance Data Breach — Frequently Asked Questions

Is there a class action lawsuit against Beacon Mutual Insurance over the January 2026 data breach?

 Yes — two. DiMeo v. The Beacon Mutual Insurance Company was filed May 22, 2026, in Rhode Island Superior Court on behalf of state worker Aria DiMeo. Malloy v. The Beacon Mutual Insurance Company was filed May 25, 2026, in the U.S. District Court for the District of Rhode Island by plaintiff Kevin Malloy. Both are in active early litigation. No settlement has been reached as of May 28, 2026.

Do I need to do anything right now to be included in the Beacon Mutual class action? 

No immediate action is required to remain in the proposed class. You should, however, save your breach notification letter, consider placing a credit freeze with all three bureaus, and monitor your accounts for fraudulent activity. The INC Ransom group posted the stolen data publicly in late January 2026 — your information has been potentially accessible for months.

Why did Beacon Mutual wait more than four months to notify affected people?

 Beacon Mutual says it conducted a “comprehensive and time-intensive” review of stolen files to identify exactly whose data was included before it could send accurate notices. The company determined on April 16, 2026, which specific files contained personal information, then began mailing on May 18, 2026. Both class action complaints directly challenge this timeline, arguing the delay left affected individuals exposed to identity theft without warning.

Does accepting Beacon Mutual’s free credit monitoring waive my right to join the lawsuit?

 No. Accepting Beacon Mutual’s one-year Experian IdentityWorks offer does not waive your right to be part of the class action or consult an attorney. You can enroll and still participate in any future settlement.

What specific laws does Beacon Mutual allegedly violate in the data breach lawsuits?

 The Malloy federal complaint alleges negligence, negligence per se, unjust enrichment, breach of implied contract, breach of confidence, and violations of HIPAA’s privacy rules for failure to safeguard electronic protected health information. The DiMeo state complaint alleges failures to properly secure, encrypt, and timely notify affected individuals. Both complaints cite the sensitivity of workers’ compensation data as creating a heightened duty of care.

Can I file my own lawsuit against Beacon Mutual instead of joining the class action?

 Yes. You can opt out of the class and pursue individual claims, particularly if you suffered significant, documented financial losses from identity theft traced to this breach. Speak with a data privacy attorney before any opt-out deadline is published by the court.

How much could Beacon Mutual data breach victims receive if this case settles? 

No money is available and no settlement exists as of May 28, 2026. Recovery amounts in comparable insurance and benefits data breach cases have ranged from $50 flat payments without proof to $2,500 or more for documented losses including identity theft, credit fraud, and related financial harm. The HIPAA allegations and the four-month notification delay are factors that may affect the settlement value. A data privacy attorney can give you a better estimate based on your specific situation.

My employer uses Beacon Mutual — am I affected even if I never filed a workers’ comp claim? 

Potentially. Beacon Mutual’s systems contain data on policyholders — not just active claimants. If your employer’s workers’ compensation coverage is through Beacon Mutual, your personal information may be in Beacon Mutual’s files. If you did not receive a notification letter but believe you may be affected, call Beacon Mutual’s helpline at 833-918-8448.

Sources Used in This Beacon Mutual Insurance Data Breach Article

• Rhode Island Current — Beacon Mutual ransomware attack exposed data of 4,500 current and former RI state employees, May 22, 2026: https://rhodeislandcurrent.com/2026/05/22/beacon-mutual-ransomware-attack-exposed-data-of-4500-current-and-former-ri-state-employees/
• Insurance Business Magazine — Rhode Island workers’ comp insurer faces class action over data breach, May 27, 2026: https://www.insurancebusinessmag.com/us/news/risk-compliance-legal/rhode-island-workers-comp-insurer-faces-class-action-over-data-breach-576567.aspx

Prepared by the AllAboutLawyer.com Editorial Team and reviewed for factual accuracy against Rhode Island Current reporting (May 22, 2026), Insurance Business Magazine (May 27, 2026), WPRI Channel 12 (May 22, 2026), and Insurance Journal (May 26, 2026). Last Updated: May 28, 2026.

This article is for informational purposes only and does not constitute legal advice. Laws vary by state and individual circumstances differ. For advice about your specific situation, consult a qualified attorney.