Liberty Mutual Insurance Ransomware Data Breach Class Action, Everest Ransomware Stole Policyholder Records Are You Affected?
Liberty Mutual Insurance is facing a class action lawsuit alleging it failed to safeguard sensitive information belonging to more than 15,000 policyholders that was exposed in a recent ransomware attack. The lawsuit was filed on May 7, 2026, after hackers claimed they stole policyholder information and sought a ransom payment from the company.
No settlement exists yet. No claim form is open. If you are a Liberty Mutual policyholder — current or former — here is exactly what happened and what your options are right now.
| Field | Detail |
| Lawsuit Filed | May 7, 2026 |
| Defendant | Liberty Mutual Insurance Co. |
| Lead Plaintiffs | Robert Francis; John Goodwin |
| Alleged Violation | Negligence; breach of implied contract; Massachusetts Consumer Protection Act; invasion of privacy |
| Ransomware Group | Everest |
| Data Stolen | 108 GB — 52,429 files across 14,979 folders |
| Who Is Affected | Current and former Liberty Mutual policyholders |
| Estimated People Affected | More than 15,000 (per complaint — investigation ongoing) |
| Attack Date | April 30, 2026 |
| Data Published | May 4, 2026 (after Liberty Mutual did not respond to ransom demand) |
| Court & Jurisdiction | U.S. District Court for the District of Massachusetts |
| Case Number | Francis et al. v. Liberty Mutual Insurance Co., No. 1:26-cv-12056 |
| Last Updated | May 20, 2026 |
What Happened in the Liberty Mutual Ransomware Attack? Francis et al. v. Liberty Mutual Insurance Co., No. 1:26-cv-12056
On April 30, 2026, the Everest ransomware group stole 108 gigabytes of data from systems connected to Liberty Mutual Insurance. The dump contains 52,429 files across 14,979 folders — including policyholder names, addresses, policy numbers, and financial details.
After claiming the insurer failed to respond to its ransom demands, Everest published the stolen data on May 4, 2026. Liberty Mutual acknowledged the claims and said the Boston company was investigating the matter, which it said appears to involve an incident at a third-party vendor.
Liberty Mutual told reporters it was investigating “a possible incident at a third-party vendor” and emphasized that its current review does not indicate a compromise of Liberty Mutual’s own systems or networks. However, file timestamps suggest the attackers may have had access for months before stealing the data in April — the entire trove was allegedly created on January 26, 2026.
That gap matters legally. If attackers were inside a vendor’s systems for months before the data was stolen and published, the question becomes when Liberty Mutual knew — or should have known — that its customers’ data was at risk. That is exactly the kind of identity theft lawsuit argument the plaintiffs are pressing in this case.
This is the same Everest ransomware group behind the April 2026 attack on Citizens Bank customers. If you want to understand how courts are handling vendor-sourced breaches right now, the Citizens Bank data breach class action lawsuit is the closest comparison — same attacker, same third-party vendor structure, same unresolved question about who bears responsibility when your insurer’s outside vendor is the weak link.
What Data Was Stolen From Liberty Mutual Policyholders?
The Everest ransomware group claims the stolen data includes personally identifiable information (PII) covering tens of thousands of insurance-related documents, including customer-facing records, individual policy documents, and generated forms. File formats include .doc, .pdf, .txt, .json, .afp, .vpf, and .tgz archives.
Policyholder information including customer names, addresses, policy numbers, and financial and insurance details is among the tens of thousands of Liberty Mutual files Everest claimed to have stolen.
The plaintiffs allege their personally identifiable information and protected health information were both compromised. They discovered that Everest added Liberty Mutual to its dark web leak site, where their private information — including highly sensitive medical records — may be posted for any bad actor to view, download, and use to commit crimes including identity theft and fraud.
Medical records in a data breach are treated differently under law than financial data. Protected health information (PHI) carries its own set of federal protections. The plaintiffs argue Liberty Mutual failed to encrypt or redact this information before it was accessible to the attacking group.
Are You Part of the Liberty Mutual Class Action?
Here is how to know if this lawsuit includes you.
You may be part of this class if:
- You are a current or former Liberty Mutual policyholder whose personal data was held in the systems connected to the April 2026 breach
- Your policy data includes your name, address, policy number, financial details, or health information
- You received a data breach notification letter from Liberty Mutual related to this incident
- You experienced spam, phishing calls or texts, or suspicious financial activity after April 30, 2026 — lead plaintiff Robert Francis says he began experiencing spam, scam, and phishing messages soon after the breach, while co-plaintiff John Goodwin reports fraudulent charges were made to his checking account
You are likely NOT included if:
- You have never held a Liberty Mutual insurance policy
- Your only Liberty Mutual interaction was a quote — not an active policy — and you received no breach notification
The plaintiffs are seeking to represent a nationwide class and a Massachusetts subclass of consumers whose private information was compromised in this Liberty Mutual data breach. You do not need to live in Massachusetts to potentially qualify for the nationwide class.
Liberty Mutual’s History of Data Security Failures — This Is Not the First Time
This case does not arrive in a vacuum. Liberty Mutual carries a documented track record of cybersecurity failures that is directly relevant to how courts will evaluate the plaintiffs’ negligence claims.
In October 2025 — less than seven months before the Everest attack — the New York State Attorney General’s Office slapped Liberty Mutual with a $2 million settlement related to a 2021 cyberattack, as part of a $14.2 million total settlement against eight insurance companies.
In the 2021 case, Liberty Mutual Insurance experienced attacks on three different consumer quote tools, exposing the data of approximately 50,000 New Yorkers. New York Attorney General Letitia James said at the time that the companies “had poor cybersecurity that allowed hackers to easily steal New Yorkers’ personal information and use some of the information for fraud.”
The New York Department of Financial Services investigation concluded that Liberty Mutual did not comply with DFS’s cybersecurity regulation, which requires companies to implement policies, procedures, and controls designed to protect consumer data. In addition to the fine, Liberty Mutual was required to significantly improve its cybersecurity programs.
Those mandated improvements were supposed to prevent exactly this kind of incident. The fact that Everest successfully extracted 108 GB of policyholder data less than a year after that settlement will be central to the plaintiffs’ argument that Liberty Mutual’s negligence was not accidental — it was systemic. For context on how courts weigh prior regulatory findings in insurance data breach litigation, the Lakeview Loan Servicing $26M data breach settlement is a close example of how documented security failures strengthen plaintiffs’ cases.
What Are the Plaintiffs Asking the Court to Do?
Francis and Goodwin claim Liberty Mutual is guilty of negligence, negligence per se, breach of implied contract, unjust enrichment, invasion of privacy, and violations of the Massachusetts Consumer Protection Act and the Declaratory Judgment Act. The plaintiffs demand a jury trial and request declaratory and injunctive relief.
The complaint argues Liberty Mutual failed to encrypt or redact sensitive policyholder data, did not implement reasonable cybersecurity safeguards despite its prior regulatory penalties, and failed to adequately monitor and oversee the third-party vendor whose systems were breached.
The lawsuit states: “The present and continuing risk to victims of the data breach will remain for their respective lifetimes.” That language matters. It signals the plaintiffs are seeking long-term damages — not just reimbursement for immediate losses — because stolen insurance and health records do not expire.
No monetary settlement amount has been confirmed. No claim form exists. This is an active litigation case in its early stage.
What Should You Do Right Now If You Are a Liberty Mutual Policyholder
Most affected policyholders will be automatically included in the class if the court certifies it. You do not need to hire a lawyer today. Here is what makes practical sense right now:
- Watch your mail and email for a data breach notification. Liberty Mutual is legally required to notify affected policyholders. If you receive one, save it — it establishes your membership in the class.
- Monitor your financial accounts closely. Co-plaintiff Goodwin reports fraudulent charges to his checking account following the breach. Check bank statements and credit card activity for anything unfamiliar.
- Watch for phishing and scam contact. Co-plaintiff Francis received a surge of spam texts and calls after the breach. Do not respond to any unsolicited contact asking for personal or insurance information.
- Consider placing a credit freeze. A free credit freeze at all three major bureaus (Equifax, Experian, TransUnion) prevents new accounts from being opened in your name. It does not affect your existing accounts.
- Save all your Liberty Mutual policy documents and correspondence. These establish your relationship with the insurer and your potential class membership.
- If you believe you have suffered specific, documentable financial harm, consult a consumer rights lawyer or data breach compensation attorney to understand whether individual claims make sense alongside class participation.
Do not contact Liberty Mutual directly about the lawsuit. The company has not acknowledged liability and its investigation is described as ongoing.
Liberty Mutual Data Breach and Lawsuit Timeline
| Milestone | Date |
| Liberty Mutual 2021 Cybersecurity Attack | Early 2021 |
| NY AG Investigation Begins | 2021–2022 |
| NY DFS Cybersecurity Improvement Order Issued to Liberty Mutual | October 14, 2025 |
| NY AG $2.7M Liberty Mutual Penalty Paid | October 2025 |
| Everest Ransomware Group Accesses Data | Likely January 26, 2026 (per file timestamps) |
| Everest Lists Liberty Mutual on Dark Web Leak Site | April 30, 2026 |
| Liberty Mutual Acknowledges Incident, Cites Third-Party Vendor | Early May 2026 |
| Everest Publishes 108 GB of Stolen Data | May 4, 2026 |
| Class Action Filed in Massachusetts | May 7, 2026 |
| Class Certification Motion | TBD — not yet filed |
| Next Court Hearing | TBD — no date set |
| Expected Settlement Timeline | TBD — 1–3 years minimum from filing |
Frequently Asked Questions
Is there a class action lawsuit against Liberty Mutual over the 2026 data breach?
Yes. Plaintiffs Robert Francis and John Goodwin filed a proposed nationwide class action on May 7, 2026, in the U.S. District Court for the District of Massachusetts, Case No. 1:26-cv-12056. The lawsuit alleges Liberty Mutual failed to protect policyholder data that was stolen and published by the Everest ransomware group.
Do I need to do anything right now to join the Liberty Mutual class action?
No immediate action is required. If the court certifies the class, all eligible policyholders will be automatically included unless they choose to opt out. The most useful step right now is saving any breach notification you receive from Liberty Mutual and monitoring your financial accounts for unusual activity.
What information was stolen in the Liberty Mutual ransomware attack?
Policyholder information including customer names, addresses, policy numbers, and financial and insurance details is among the Liberty Mutual files Everest claims to have stolen. The plaintiffs also allege that protected health information and medical records were included in the stolen data.
When will the Liberty Mutual lawsuit settle?
TBD — no settlement negotiations have been reported. Cases at this stage typically take one to three years from filing before a settlement is reached, assuming the court certifies the class. The case was filed in May 2026 and has not yet been scheduled for a class certification hearing.
Has Liberty Mutual had data breach problems before?
Yes. In October 2025, Liberty Mutual paid $2 million to New York State after a 2021 cyberattack exposed the data of approximately 50,000 New Yorkers through attacks on three different consumer quote tools. The company was ordered to improve its cybersecurity practices as a condition of that settlement. The Everest attack occurred less than seven months later.
Can I file my own lawsuit against Liberty Mutual instead of waiting for the class action?
Yes. You can consult a data privacy attorney to evaluate individual claims, particularly if you have suffered documented losses like fraudulent charges or identity theft. Individual litigation is more expensive and complex than class participation, but may be worth exploring if your damages are significant.
What is the Everest ransomware group?
Everest is a ransomware-as-a-service criminal group that operates a double-extortion model — attackers steal data first, then encrypt systems, and threaten to publish everything publicly if the victim does not pay a ransom. After claiming Liberty Mutual failed to respond to its demands, Everest published the data publicly on May 4, 2026. The same group was responsible for the Citizens Bank breach in April 2026.
Sources & References
- Court Docket: Francis et al. v. Liberty Mutual Insurance Co., Case No. 1:26-cv-12056, U.S. District Court for the District of Massachusetts
- Law360, “Liberty Left Client Info Vulnerable to Hackers, Suit Alleges,” May 7, 2026 — Law360 Report
- Bank Info Security, “Everest Group Begins Leaking Alleged Liberty Mutual Data,” May 4, 2026 — Bank Info Security
- New York Attorney General Press Release, “AG James Secures $14.2 Million from Car Insurance Companies Over Data Breaches,” October 14, 2025 — NY AG Office
- New York Department of Financial Services Consent Order: Liberty Mutual Insurance Company, October 14, 2025 — NY DFS
Prepared by the AllAboutLawyer.com Editorial Team and reviewed for factual accuracy against the court complaint (Case No. 1:26-cv-12056), Law360 case reporting dated May 7, 2026, Bank Info Security reporting dated May 4, 2026, and the NY AG official press release dated October 14, 2025. Last Updated: May 20, 2026
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney.
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah