Accounting firm Legacy Professionals notifies 191K people of data breach that compromised SSNs, health info

Accounting firm Legacy Professionals this week confirmed it notified 190,818 people about an April 2024 data breach that compromised names, Social Security numbers, driver’s license numbers, medical treatments, and health insurance info.

Ransomware gang LockBit claimed responsibility for the attack in August 2024, when it gave Legacy Professionals two weeks to pay an undisclosed sum in ransom.

Legacy Professionals has not verified LockBit’s claim. We do not know if Legacy Professionals paid a ransom or how attackers breached its network. Comparitech contacted Legacy Professionals for comment and will update this article if it replies.

“In late April 2024, Legacy learned of potentially suspicious activity related to certain data stored on our computer network,” says Legacy Professionals’ notice to victims. “We immediately took steps to secure our environment and investigate the nature and scope of the issue with assistance from a third-party cybersecurity specialist. After receiving additional information in November 2024, the investigation determined that certain files had been taken from Legacy servers by an unauthorized actor.”

The notice does not specify who the data belongs to, except to say that the attack involved “certain information related to you that we handle in relation to our clients.”

Legacy Professionals is offering victims 24 months of free credit monitoring via IDX. The enrollment deadline is May 27, 2025.

Who is LockBit?

LockBit is perhaps the most infamous ransomware gang in recent years, first first appearing in 2019. The group is most likely based in Russia. Its malware can both lock down infected computers and steal data. LockBit often extorts its targets both to unlock infected systems and to refrain from auctioning off stolen data, a tactic known as double extortion.

In 2024, LockBit claimed responsibility for 92 confirmed ransomware attacks, compromising 34.6 million records. The group made another 421 unconfirmed claims in 2024 that haven’t been acknowledged by targets.

Some of LockBit’s most high profile attacks include those on Evolve Bank and Trust, the California Finance Administration, TSMC, Boeing, London Drugs, and the Fulton County, GA local government.

Ransomware attacks on US finance

Ransomware attacks on US finance companies can both steal data and lock down computer systems. The company is forced to pay a ransom for a key to unlock its systems and to prevent the attacker from auctioning off stolen data. If a company doesn’t comply, it could face extended downtime, data loss, and putting customers and/or staff at increased risk of fraud.

In 2024, Comparitech researchers logged 57 confirmed ransomware attacks on US finance companies, a slight decrease from 2023. The number of records impacted grew more starkly year on year from 28.1 million in 2023 to 34.6 million in 2024. The average ransom demand across these attacks was $1 million.

In 2025 so far, we’ve recorded one confirmed breach against a US financial company: Etrella Insurance, which notified 16,379 victims this week. Another 151 such attacks have been claimed by ransomware gangs but not confirmed by targets.

About Legacy Professionals

Legacy Professionals is an accounting firm with locations in Westchester Illinois; Schererville, Indiana, and Edina, Minnesota. Its services include audits, accounting, and taxes for employee benefit plans, labor organizations, not-for-profits, and commercial entities.