Lee Enterprises Lawsuit, Lee Enterprises Shared Your Data With Facebook — Here’s What Two Lawsuits Mean for You
If you subscribed to a Lee Enterprises newspaper and had a Facebook account, a $9.5 million settlement says your private data was shared without your consent — and you may have already missed your chance to claim ~$41. Meanwhile, nearly 40,000 current and former Lee employees whose Social Security numbers and medical records were exposed in a 2025 ransomware attack now have a separate $600,000 settlement moving through court. Here is the full picture on both cases.
Key Dates At a Glance
| Case | Event | Date |
| Subscriber VPPA Case | Final approval granted | August 14, 2025 |
| Subscriber VPPA Case | Claim deadline (CLOSED) | July 17, 2025 |
| Employee Data Breach Case | Preliminary approval granted | January 23, 2026 |
| Employee Data Breach Case | Claim deadline | To be set — check official notice |
| Employee Data Breach Case | Final approval hearing | Pending — not yet scheduled |
Who Is Lee Enterprises?
Lee Enterprises is one of the largest local newspaper publishers in the United States, headquartered in Davenport, Iowa. The company owns hundreds of newspapers and specialty publications in 25 states, including the Omaha World-Herald, Lincoln Journal Star, Sioux City Journal, Quad-City Times, Billings Gazette, and Missoula Current — among many others.
Despite its reach across local communities, Lee has found itself at the center of two major legal disputes that have affected both its subscribers and its own employees — cases involving Facebook data tracking and a criminal ransomware attack.
Case 1: The $9.5 Million Facebook Tracking Settlement — What Happened
Case Name: Stoudemire, et al. v. Lee Enterprises, Inc., Case No. 3:22-cv-00086-SHL-WPK Court: U.S. District Court, Southern District of Iowa Filed: 2022 Final Approval: August 14, 2025
What the lawsuit alleged:
Plaintiffs alleged Lee disclosed subscribers’ personally identifiable information to Facebook through tracking methods without consent in violation of the Video Privacy Protection Act. The specific tracking tool at the center of the case was Meta’s Facebook Pixel — a small piece of code embedded in Lee’s websites that sent data back to Facebook every time a logged-in Facebook user watched or clicked on video content on a Lee newspaper website.
The problem was not simply that Lee had the Pixel installed. It was what the Pixel transmitted: the specific titles of videos a user viewed, combined with that user’s Facebook ID. According to the lawsuit, individuals could use fairly basic web-browsing tools to see the titles of whatever video content had triggered the initial exchange of information between Lee and Facebook, providing an indirect link between named Facebook users and the specific videos those users had watched on Lee websites.
This violated the Video Privacy Protection Act (VPPA) — a 1988 federal law originally passed to prevent video rental stores from disclosing customers’ viewing histories without consent. Courts have found the law applies to modern streaming and online video content.
What the settlement provides:
Persons included in the proposed settlement were eligible to receive a pro rata portion of the $9,500,000 settlement fund, which Class Counsel anticipated would be approximately $41.01 per claimant.
Beyond the cash payment, Lee agreed to suspend operation of the Facebook or Meta Pixel on any pages on its websites that track video content and have a URL that identifies the title of the video content requested or viewed, until the VPPA is amended, repealed, or otherwise invalidated, or unless Lee has obtained valid consent. This means the settlement also changed how Lee handles subscriber tracking going forward.
Is the claim deadline still open?
No. The Lee Enterprises settlement was granted final approval on August 14, 2025. The claim deadline of July 17, 2025 has passed. If you were a subscriber who qualified but did not file a claim, you can no longer participate in this settlement. Payments will be distributed after any appeals are resolved.
Who qualified:
Consumers who subscribed to a Lee Enterprises publication, had a Facebook account and accessed or requested video material on a Lee website between December 19, 2020, and March 4, 2025 may have qualified. Approximately 1.6 million Lee subscribers were identified on the settlement class list generated by Lee who accessed video material on a Lee website at any time from December 19, 2020, until March 4, 2025 and who used Facebook during that time.
Case 2: The $600,000 Employee Data Breach Settlement — Still Active
Case: Employee data breach class action, U.S. District Court, Southern District of Iowa Preliminary Approval: January 23, 2026 Status: Open — claim deadline pending
This is the newer and still-active case. It involves Lee Enterprises employees, not subscribers.
What happened:
The Qilin ransomware group claimed credit for an attack on Lee Enterprises that began on February 1, 2025, and alleged that it gained access to 350 gigabytes of data. It also shared samples of what it claimed was data stolen from the company, including contracts, financial spreadsheets, non-disclosure agreements, and other confidential files.
In SEC filings and in a filing with the attorney general of Maine, Lee indicated the data breach involved documents containing personally identifiable information related to 39,779 individuals. The documents may include a mix of names, Social Security numbers, driver’s license data, financial account numbers, medical information, and health insurance data.
Lee stated that it has incurred $2 million in expenses related to restoring data systems in the wake of the February 2025 cyberattack. The company also indicated the data breach affected its finances by hampering its ability to bill customers and pay vendors.
What employees alleged:
Three separate class action lawsuits were filed in June 2025 by Nicole Church of Illinois, Declan Lawson of Montana, and Anthony Bangert of Wisconsin — all current or former Lee employees. The three lawsuits allege that Lee is guilty of negligence, breach of an implied contract, unjust enrichment, and invasion of privacy.
According to the lawsuits, on June 3, 2025, Lee began sending letters to current and former employees advising them that private information had been accessed by others without authorization. The lawsuits allege the letters omitted details such as the cause of the data breach, the system vulnerabilities exploited, and any remedial measures taken to guard against additional breaches. One lawsuit calls the notification “no real disclosure at all,” stating that the lack of specifics made it difficult for victims to protect themselves from potential fraud or identity theft.
The data breach, one plaintiff alleged, could have been avoided had Lee “bothered to implement basic monitoring and detection systems, which then would have stopped the data breach or greatly reduced its impact.”
What the settlement provides:
Nearly 40,000 class members would be eligible for some type of reimbursement — either a cash payment, an award for ordinary losses, or one for extraordinary injury — along with credit monitoring services. The alternate cash payment would be approximately $35 per claimant.
Lee also agreed to adopt enhanced cybersecurity measures as part of the settlement terms.
Is this settlement open for claims?
Preliminary approval was granted on January 23, 2026. The claim deadline has not yet been publicly set as of this writing. If you are a current or former Lee employee who received a breach notification, watch your mail for an official settlement notice — it will contain your unique login credentials for the claim portal and the specific deadline you must meet.
Settlement Fund Breakdown — Both Cases
Case 1: Subscriber VPPA Settlement
| Item | Amount |
| Total settlement fund | $9,500,000 |
| Attorney fees and costs | From the fund (amount court-approved) |
| Administration and notice costs | From the fund |
| Class representative incentive award | From the fund |
| Estimated net payment per claimant | ~$41.01 |
Case 2: Employee Data Breach Settlement
| Item | Amount |
| Total settlement fund | $600,000 |
| Attorney fees and costs | From the fund |
| Administration costs | From the fund |
| Estimated alternative cash payment | ~$35 per claimant |
| Out-of-pocket loss reimbursement | Available — amounts vary |
| Extraordinary injury payment | Available — amounts vary |
| Credit monitoring | Included for all class members |
Who Qualifies for the Employee Breach Settlement
You may qualify as a class member in the $600,000 employee data breach settlement if all of the following apply:
- You are a current or former Lee Enterprises employee
- Your personal information was compromised in the February 2025 ransomware attack
- You received a data breach notification letter from Lee Enterprises on or around June 3, 2025
Potentially exposed data includes names, Social Security numbers, driver’s license data, financial account numbers, medical information, and health insurance data.
Who is not eligible:
- Lee Enterprises executives, directors, and their immediate family members
- Anyone whose information was not included in the breach
- Newspaper subscribers affected by the Facebook Pixel issue — that is the separate VPPA settlement, which is now closed to new claims
What Lee Enterprises Says
Lee Enterprises has not admitted any wrongdoing in either case. The company declined to comment on the employee data breach litigation, stating it does not comment on pending litigation. In the subscriber VPPA settlement, Lee denied that it violated the VPPA or any other law, and the parties agreed to the settlement without any admission of liability and solely to avoid the uncertainties and expenses associated with continuing the lawsuit.
A Bigger Pattern: Lee’s History of Data Problems
The February 2025 ransomware attack was not Lee’s first cybersecurity incident. In 2020, the company was targeted by Iranian hackers as part of a broader campaign to spread disinformation during the U.S. presidential election. Two Iranian nationals were later charged with conspiracy to commit computer fraud, intimidation of voters, and making interstate threats. That federal criminal case remains open.
Three separate data-related class actions in five years — the 2022 subscriber VPPA case, the 2025 employee breach cases, and the 2020 Iranian hacking incident — point to a persistent pattern of data security concerns at one of America’s largest local news companies.
What to Do Right Now
If you are a former Lee subscriber: The VPPA settlement claim deadline passed on July 17, 2025 and is now closed. If you submitted a claim before that date, your payment will arrive after all appeals are resolved.
If you are a current or former Lee employee: Watch your mail carefully. A settlement notice with your unique claim ID and password should arrive if you are identified as a class member in Lee’s records. Do not ignore it — it contains your only access to file a claim. If you received a breach notification letter from Lee in June 2025 but have not received a settlement notice, contact the settlement administrator through the official case website once it is established.
If you are unsure whether you qualify: Contact a consumer privacy or data breach attorney for a free consultation. Most work on contingency — no upfront cost.
Frequently Asked Questions
What is the Lee Enterprises lawsuit about?
There are actually two separate cases. The first involved Lee sharing subscriber video-viewing data with Facebook without consent, violating the Video Privacy Protection Act — settled for $9.5 million, now closed to claims. The second involves a February 2025 ransomware attack that exposed sensitive personal data of nearly 40,000 current and former employees — settled for $600,000, currently in preliminary approval with claims not yet open.
Can I still file a claim in the $9.5 million subscriber settlement?
No. The claim deadline was July 17, 2025 and the settlement received final approval on August 14, 2025. That window is closed.
How much will employees get from the data breach settlement?
The alternate cash payment is expected to be approximately $35 per claimant. Class members may also be eligible for reimbursement of ordinary or extraordinary losses and credit monitoring services. Final amounts depend on total valid claims and court-approved deductions.
What data was exposed in the Lee Enterprises breach?
The exposed data may include names, Social Security numbers, driver’s license data, financial account numbers, medical information, and health insurance data belonging to 39,779 individuals.
Who was behind the Lee Enterprises ransomware attack?
The Qilin ransomware group claimed credit for the attack and alleged it gained access to 350 gigabytes of data, including contracts, financial spreadsheets, non-disclosure agreements, and other confidential files.
Is this a class action I can join if I was not notified?
The employee breach settlement covers individuals identified in Lee’s own records as having had their data compromised. If you were a Lee employee but did not receive a breach notification, contact the settlement administrator once the official claim website is established to check whether your records were affected.
What did Lee agree to change going forward?
In the subscriber case, Lee agreed to stop using Facebook’s Pixel on video content pages unless it obtains proper consent. In the employee breach case, Lee agreed to adopt enhanced cybersecurity measures. Both settlements include structural changes beyond just cash payments.
When will employees receive payment?
Not before the final approval hearing, which has not yet been scheduled as of February 2026. After final approval, there may be an appeals period before payments are distributed. Realistically, payments are unlikely before late 2026.
Last Updated: February 18, 2026
Disclaimer: This article is for informational purposes only and does not constitute legal or tax advice. Settlement terms, eligibility, and payment amounts are subject to court approval and may change. For official information, always refer to the settlement administrator or the official settlement website.
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah