Impac Mortgage Holdings Data Breach Exposes Social Security Numbers — Victims Waited Two Years for Notice
A cyberattack in early 2024 compromised names and Social Security numbers at a California-based mortgage company — but affected customers weren’t told until March 2026. Class action investigations are now underway.
Quick Case Snapshot
| Field | Details |
| Company | Impac Mortgage Holdings, Inc. (OTC Pink: IMPM) |
| Headquarters | Irvine, California |
| Breach Window | February 21, 2024 – March 20, 2024 |
| Date Discovered | March 20, 2024 |
| Threat Actor | Medusa (ransomware group) |
| Data Exposed | Names, Social Security numbers |
| Victims Notified | March 27, 2026 — approximately two years after the breach |
| Number Affected | Not yet publicly disclosed |
| Lawsuit Status | Active class action investigation — no formal complaint yet filed |
| Law Firms Investigating | Sauder Schelkopf LLP; Shamis & Gentile P.A. |
| Potential Claims | Negligence, failure to safeguard data, delayed notification, GLBA Safeguards Rule violations |
| Current Status | Pre-litigation investigation phase |
What Happened — The Core Facts
If you are a current or former Impac Mortgage Holdings customer or employee, your Social Security number may have been in the hands of cybercriminals since early 2024 — and the company may not have told you until over two years later.
Sauder Schelkopf LLP is investigating a data breach involving Impac Mortgage Holdings, Inc. following unauthorized access to its systems between February 21 and March 20, 2024. The incident resulted in an unknown actor gaining access to files containing sensitive personal information, including individuals’ names and Social Security numbers.
On March 20, 2024, Impac Mortgage Holdings discovered indications of unauthorized access to its systems. An investigation determined that an unknown actor may have accessed certain files and folders containing protected information between February 21, 2024, and March 20, 2024. After a thorough review, Impac confirmed that personal information was involved in the breach. Written notice was sent to affected individuals on March 27, 2026.
That notification date — March 27, 2026 — is at the heart of what makes this case legally significant. The breach happened in early 2024. Victims were not told until more than two years later.
Who Is Impac Mortgage Holdings?
Impac Mortgage Holdings Inc. is a financial services company based in Irvine, California. Founded in 1995, the company has focused on residential mortgage lending, real estate services, and long-term mortgage portfolio management. It trades on the OTC Pink market under the ticker symbol IMPM.
As a mortgage lender, Impac collects some of the most sensitive personal and financial data that exists — names, addresses, income figures, tax records, and crucially, Social Security numbers — from every borrower who applies for or receives a loan. That data is exactly what cybercriminals target.
Related article: Georgia Heritage Federal Credit Union Data Breach Exposes 43,077 Members’ Social Security Numbers — Class Action Investigation Underway
The Threat Actor: Medusa Ransomware
The threat actor behind the Impac Mortgage breach has been identified as Medusa, with the breach discovered on March 26, 2024. Medusa is a well-documented ransomware-as-a-service operation that has targeted organizations across financial services, healthcare, and education. The group typically exfiltrates data before encrypting systems, then threatens to publish stolen files on a dark web leak site unless a ransom is paid — a tactic known as double extortion.
The leak size in the Impac breach has not been publicly confirmed, and it is not yet clear whether Impac paid a ransom or whether the stolen data was published on Medusa’s dark web platform.
The Two-Year Notification Gap — Why It Matters Legally
This is where the case becomes particularly serious from a legal standpoint.
Although Impac conducted an internal investigation and completed a review of impacted data before issuing notifications in March 2026, the prolonged timeline and exposure of highly sensitive identifiers raise serious concerns about the company’s data security practices and incident response.
Two years is an extraordinarily long period between breach and notification. During those two years, affected individuals had no opportunity to:
- Freeze their credit
- Monitor for identity theft
- Place fraud alerts on their accounts
- Take any protective action whatsoever
State data breach notification laws in most U.S. states require companies to notify affected individuals within 30 to 90 days of discovering a breach. If Impac discovered the breach on March 20, 2024, and did not notify until March 27, 2026, the delay spans approximately 740 days — well beyond any standard notification window under applicable law.
What the Lawsuit Alleges — Key Legal Claims
Multiple law firms are now investigating potential class action claims on behalf of affected individuals. The allegations being evaluated center on several distinct legal failures:
1. Failure to Encrypt Sensitive Data
Investigators allege that Impac stored sensitive personal information — including Social Security numbers — without adequate encryption. This is particularly damaging because Impac’s own privacy policy reportedly assured customers that such data was protected. The gap between that promise and the alleged reality is a central element of the legal case.
2. Failure to Implement Basic Security Controls
The prolonged timeline and exposure of highly sensitive identifiers raise serious concerns about the company’s data security practices and incident response. Specifically, investigators point to alleged failures to implement multi-factor authentication, maintain adequate network monitoring, and sufficiently train employees on cybersecurity threats — all recognized industry standards for financial institutions.
3. Gramm-Leach-Bliley Act (GLBA) Safeguards Rule Violations
As a mortgage company, Impac Mortgage Holdings is a financial institution subject to the Gramm-Leach-Bliley Act (GLBA) and the FTC’s Safeguards Rule. This federal law requires financial institutions to develop and maintain a comprehensive written information security program. The Safeguards Rule was significantly strengthened in 2023, adding specific technical requirements including encryption, multi-factor authentication, and access controls. A breach of this scale, allegedly involving unencrypted Social Security numbers, raises direct questions about whether Impac met these federal obligations.
4. Delayed Notification Potentially Violating State Law
Most states require breach notifications to be issued promptly — typically within 30 to 90 days of discovery. A notification issued approximately two years after the breach was detected may constitute a violation of applicable state breach notification statutes, depending on where affected individuals reside. California, where Impac is headquartered, requires notification to affected residents without unreasonable delay.
5. What Damages Victims May Seek
Individuals affected by this breach may face a heightened risk of identity theft and fraud. Potential damages include costs related to credit monitoring and identity theft protection, recovery of financial losses caused by fraud, compensation for emotional distress and inconvenience, and punitive damages to discourage future negligence.
Defendant’s Response
Impac Mortgage Holdings has not made any public statement specifically addressing the class action investigations or the legal sufficiency of its notification timeline. The company’s March 27, 2026 breach notification letter to affected individuals is the primary public-facing communication issued to date. The content of that letter has not been fully reproduced publicly. Impac has not filed any court response, as no formal complaint has yet been filed.
Legal Context: Why This Breach Is Particularly Concerning
Social Security Numbers Are Permanent — Victims Can’t Get New Ones
Unlike a compromised credit card number — which can be cancelled and reissued in minutes — a Social Security number is permanent. Once exposed, it creates a lifelong risk of identity theft, tax fraud, synthetic identity fraud, and financial account takeover. The two-year delay in notification means victims had no opportunity to take protective action during the precise window when the data was most actively exploitable.
Financial Services: The Most Targeted Sector
The filing context cites data showing that financial services was the single most targeted sector for data breaches in 2024, with over 23% of all compromises nationwide hitting the industry. Mortgage companies are prime targets because loan files contain dense concentrations of the most valuable personal data: full legal names, SSNs, income records, tax documents, employment history, and bank account details — all in one place.
The Medusa Ransomware Threat
Medusa operates what cybersecurity researchers describe as a “ransomware-as-a-service” model — meaning the core developers rent their malware and infrastructure to affiliated criminal operators who carry out actual attacks. Medusa has claimed dozens of victims across critical infrastructure sectors and has a documented history of publishing stolen data when ransom demands are not met. Whether the Impac data was published or sold on criminal markets remains an open question that may be central to eventual litigation.
GLBA Safeguards Rule — What the Law Actually Requires
The FTC’s updated Safeguards Rule, which took full effect in 2023, requires financial institutions to: designate a qualified individual to oversee cybersecurity; conduct periodic risk assessments; encrypt all customer information in transit and at rest; implement multi-factor authentication; monitor systems for unauthorized activity; train security personnel; and report qualifying breaches to the FTC within 30 days. If investigators establish that Impac failed on multiple of these requirements, federal regulatory exposure could accompany the civil litigation.
Are You Affected? How to Find Out and What to Do Right Now
Step 1 — Check Your Mail
Written notice was sent to affected individuals on March 27, 2026. If you received a letter from Impac Mortgage Holdings in late March or April 2026 regarding a data breach, you are among the confirmed affected individuals.
Step 2 — Freeze Your Credit Immediately
Even if you have not received a notice, if you are a current or former Impac customer, acting proactively is wise. Contact all three major credit bureaus — Equifax, Experian, and TransUnion — and place a free credit freeze on your file. A credit freeze prevents new accounts from being opened in your name without your explicit authorization.
Step 3 — Place a Fraud Alert
A fraud alert requires creditors to verify your identity before extending credit. You only need to contact one bureau — they are legally required to notify the other two.
Step 4 — Monitor Your Accounts and Tax Returns
Social Security number exposure creates specific risks of tax fraud — criminals may file a fraudulent tax return in your name to claim a refund. Consider filing your taxes early to prevent this, and check your IRS account at IRS.gov for any unauthorized activity.
Step 5 — Contact a Data Breach Attorney
Sauder Schelkopf LLP is offering free case reviews to individuals affected by the breach. Our experienced legal team is here to help you understand your rights and options. Shamis & Gentile P.A. is also actively investigating. There is no cost to speak with an attorney and no obligation to proceed.
Current Status & What Happens Next
The Impac Mortgage Holdings data breach case is currently in the pre-litigation investigation phase. No formal class action complaint has been confirmed as filed as of the date of this publication. Here is what the typical timeline looks like from this point:
Now — Investigation Phase: Law firms gather evidence, identify the full scope of affected individuals, and evaluate the strength of potential claims.
Next — Formal Complaint Filed: Once enough evidence is assembled and potential plaintiffs identified, one or more formal class action complaints will be filed in federal or state court.
Following — Motion Practice: The defendant will likely file a motion to dismiss, arguing among other things that plaintiffs lack “standing” (i.e., they have not suffered concrete harm yet). Courts have increasingly allowed data breach cases to proceed past this stage when SSNs are involved.
Discovery: Both sides exchange documents, communications, and expert reports on Impac’s cybersecurity practices and the scope of the breach.
Class Certification → Settlement or Trial: Most data breach class actions settle before trial. Settlements in comparable mortgage company breach cases have ranged from low six figures to multi-million dollar funds depending on the number of victims and severity of harm.
FAQs
Q: How do I know if I was affected by the Impac Mortgage Holdings data breach?
Impac sent written notification letters on March 27, 2026. If you received one, you are confirmed as affected. If you are a current or former customer and did not receive a letter, you can contact Impac directly or reach out to one of the investigating law firms for guidance.
Q: What information was exposed?
Based on current public information, the breach exposed names and Social Security numbers. Whether additional data categories — such as financial account numbers, loan details, or dates of birth — were also compromised has not been fully confirmed publicly.
Q: Why did it take two years to notify victims?
Impac has not publicly explained the two-year gap between breach discovery (March 2024) and victim notification (March 2026). This delay is a central focus of the legal investigations and may constitute violations of state notification laws.
Q: Is there already a class action lawsuit filed against Impac?
As of publication, the case is in the investigation and pre-filing stage. Multiple law firms are actively evaluating claims but a formal class action complaint has not been publicly confirmed as filed. This can change rapidly.
Q: Can I join the lawsuit even if I haven’t suffered identity theft yet?
Potentially yes. Courts have increasingly recognized that exposure of Social Security numbers creates a credible, imminent risk of future harm — sufficient to establish legal standing even before actual misuse occurs. Speak with an attorney to evaluate your specific situation.
Q: Does it cost anything to investigate my claim?
No. Data breach law firms investigate on a contingency basis — meaning no upfront fees, and attorneys only collect if money is recovered.
Q: What immediate steps should I take to protect myself?
Freeze your credit at all three bureaus, place a fraud alert, monitor your financial accounts and tax filings, and consider an identity theft protection service. These steps are free or low-cost and provide meaningful protection.
Last Updated: April 20, 2026
This article is for informational purposes only and does not constitute legal advice. The data breach and all associated legal claims are currently under investigation. No class has been certified and no court has ruled on the merits of any claim. All allegations are unproven. Readers who believe they may be affected should consult a licensed attorney for advice specific to their situation.
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah