Globe Life hit with a pair of lawsuits over handling of 2024 data breach

Globe Life initially claimed few people were impacted by a June 2024 data breach.

By John Hilton

Globe Life, Inc. faces a pair of lawsuits filed this week over a June 2024 data breach that exposed as many as 850,000 policyholders, a fact the insurer did not disclose until January of this year.

It’s how Globe Life handled the data breach that most irked plaintiffs Barbara Buford and Ronald Singletary. Both are represented by the Miami law firm Shamis and Gentile and both seek class-action status from the Eastern District of Texas federal court.

Four months after the data breach, Globe Life informed the Securities and Exchange Commission that "personally identifiable information" was obtained from about 5,000 people. In a Jan. 30 notice, the insurer adjusted that figure upward by about 845,000 people.

“To this day, Defendant has still not mailed out any notices to its customers, nor have they posted a notice or any information regarding the Data Breach on their website,” plaintiffs note in the lawsuits.

Plaintiffs allege negligence, breach of contract, and breach of fiduciary duty.

Globe Life does not comment on lawsuits, a spokeswoman has said.

Personal information exposed

Globe Life initially said that "personally identifiable information" was obtained that included names, email addresses, phone numbers, postal addresses, and in some instances dates of birth, Social Security numbers, health-related data, and other insurance policy information.

In its Jan. 30 filing, the insurer said that hackers also accessed specific databases that were being maintained by independent insurance agency owners.

"Out of an abundance of caution, [Globe Life] has also initiated the process to provide voluntary notifications to, and credit monitoring services for, approximately 850,000 additional individuals whose information was also stored in the relevant databases, even though the Company has not been able to confirm if the threat actor acquired these additional individuals’ data," the latest Form 8-K says.

Plaintiffs point out that Texas law – the Identity Theft Enforcement And Protection Act – requires that a data breach disclosure notification must be made “without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred.”

In light of a proliferation of high-profile data breaches in recent years, plaintiffs say, Globe Life should have known to install strong data security measures. Healthcare records are particularly vulnerable.

Of the 1,862 recorded data breaches in 2021, 330 of them, or 17.7%, involved medical or healthcare records, the lawsuit said. The 330 breaches reported in 2021 exposed nearly 30 million sensitive records, compared to 306 breaches that exposed nearly 10 million sensitive records in 2020, the lawsuit said.

“Defendant did not use reasonable security procedures and practices appropriate to the nature of the sensitive information it was maintaining for Plaintiff and Class members, such as encrypting the information or deleting it when it is no longer needed, causing the exposure of Private Information,” the lawsuit said.

Learned from the news

Singletary purchased a life insurance policy from Globe Life and was required to provide a good deal of personal information, his lawsuit stated. He later learned about the Globe Life data breach from a news report, the lawsuit said.

“Plaintiff made reasonable efforts to mitigate the impact of the Data Breach, including checking his bills and accounts to make sure they were correct,” the lawsuit said. “Plaintiff has spent significant time dealing with the Data Breach, valuable time he otherwise would have spent on other activities, including but not limited to work and/or recreation. This time has been lost forever and cannot be recaptured.”

Globe Life is coming off a difficult year.

At least three short-seller and other research firms have issued reports accusing brokers at subsidiary American Income Life of widespread insurance fraud, including writing policies for dead and fictitious people, and an alleged kickback scheme that netted millions for senior executives.

In its report Fuzzy Panda claimed it "reviewed hundreds of pages of court documents and interviewed dozens of former executives and agents. We uncovered a whistleblower from the executive ranks who showed us where the fraud was hidden. We even went undercover to go through the recruiting process more than 10 times."

Fuzzy Panda alleged that third-party policy sellers known to have committed insurance fraud contributed over 60% of the new business at Globe Life's American Income Life unit. AIL accounted for nearly half of the total underwriting margins last year.

InsuranceNewsNet Senior Editor John Hilton has covered business and other beats in more than 20 years of daily journalism. John may be reached at [email protected]. Follow him on Twitter @INNJohnH.