Several lawsuits have been filed against Lee University in the wake of a 2024 data breach.
The complaints in Chattanooga Federal Court are seeking class action status.
The suits say Lee did not provide notification of the breach until over 300 days past the required time to do so.
The complaints say, "As a result of the Data Breach, plaintiff and class members suffered injury and ascertainable losses in the form of the present and imminent threat of fraud and identity theft, loss of the benefit of their bargain, out-of-pocket expenses, loss of value of their time reasonably incurred to remedy or mitigate the effects of the attack, and the loss of, and diminution in, value of their personal information."
"The Data Breach was a direct result of defendant’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect victims’ PII," it was stated.
The suits ask unspecified damages as well as pay for lifetime credit monitoring services for those affected.
In the Notice of Data Security Incident letter sent March 24, 2025, Lee officials said:
What Happened. In March 2024, we experienced a security incident that impacted our local systems through a third-party software vulnerability. After detecting the third-party vulnerability and containing the incident, we launched an investigation with the support of industry-leading cybersecurity experts to learn more about the scope of the potentially affected data on those systems. Our investigation revealed that some university data may have been downloaded from our systems. We then launched a comprehensive review of all potentially affected data to try to identify individuals whose information was involved and gather contact information needed to provide notice. These efforts concluded in March 2025. After we learned that some of your information was potentially involved, we arranged to provide you this notice.
What Information Was Involved. The potentially involved information varies by individual. Based on the investigation, we understand that the information may have included your name, Social Security number, and/or education-related information.
What We Are Doing. As soon as we discovered the incident, we took the steps described above. As part of our ongoing commitment to information security, we are reviewing existing policies and procedures and implementing enhanced security measures to reduce the likelihood of a similar incident occurring in the future. We are further notifying you of this event and advising you about steps you can take to help protect your information.