The Pennsylvania State Education Association data breach has escalated into legal territory as ten lawsuits were consolidated into a class action this week. The union is being accused of negligence, breach of implied contract, and failure to notify victims in a timely manner following a major 2024 data breach that compromised sensitive personal data.
“The problem was they [data breach victims] weren’t notified for months and months and months, so that they could do something about it,” said Chip Rogers, President of Americans For Fair Treatment.
Timeline of the Breach and Delayed Notification
According to the Pennsylvania State Education Association (PSEA), the cybersecurity incident occurred on July 6, 2024. However, an internal investigation was only concluded on February 18, 2025, and impacted individuals were notified in mid-March—over eight months after the breach.
Pennsylvania law mandates that private entities must notify residents of a data breach “without unreasonable delay.” There is an exception if law enforcement instructs the organization to withhold disclosure during an investigation.
Despite this, the delayed notification is a central point of contention in the lawsuits, particularly given the scale of the breach. While PSEA has 178,000 active members, reports submitted to the Maine Attorney General’s Office indicate that over 500,000 individuals were affected.
Rhysida Ransomware Group Claims Responsibility
Although PSEA has not disclosed specific details regarding the breach or whether a ransom was paid, several outlets reported that the Rhysida ransomware group took credit for the attack in September 2024. The organization has not confirmed or denied this attribution.
The stolen information includes:
- Social Security numbers
- Driver’s license data
- Medical details
- Bank account numbers
- Other forms of personally identifiable information (PII)
PSEA’s Official Response
In a statement issued via email, a PSEA spokesperson said:
“As soon as we became aware of this incident, we engaged cybersecurity professionals with expertise in these occurrences. We are complying with all legal and regulatory requirements.”
Legal and Regulatory Implications
The consolidated class action lawsuit seeks extended credit monitoring services, stronger data security protocols, and accountability for failing to act sooner. Under Pennsylvania state law, entities must offer at least one year of credit monitoring to victims of a data breach.
“They need to make it right for the people that have been affected by this,” Rogers said. “And then secondarily, they need to make sure that this never happens again.”
The Bigger Picture: Rise in Education Sector Cyberattacks
This incident adds to the growing list of education sector cyberattacks. In 2024, the Identity Theft Resource Center recorded over 3,100 data breaches, affecting 1.3 billion individuals globally.
According to James E. Lee, President of the Identity Theft Resource Center, most data breaches now stem from cyberattacks such as phishing, ransomware, and malware:
“Now, the way you defend against those is education. Because it involves a human. It’s training people don’t click on links. Don’t open up attachments that you don’t know where they originated.”
Lee also pointed out that these attacks are often orchestrated by well-organized cybercriminal groups:
“The bad guys only want to do things where they can make money at scale, and they can automate it. So for most people, we’re not on their radar screen.”
Still, he warned that the impact of personal information exposure can be devastating—emotionally, financially, and even physically.
Preventive Measures: Best Practices for Organizations
Lee recommended the following to reduce future identity theft risk:
- Use multi-factor authentication
- Transition to passkeys using biometrics instead of passwords
- Practice data minimization:
“If you don’t need it, don’t collect it. If you do need it, don’t keep it. Once the transaction is done, you get rid of it.”
Ongoing Legal and Policy Discussions
While civil litigation offers some avenue for redress, broader policy changes may be necessary to improve cybersecurity standards across industries.
“We would like the state to take a look at this and say, ‘why is this information being given to a union anyway?’” Rogers added.
As the case moves forward, the Pennsylvania State Education Association data breach remains a stark reminder of the ongoing vulnerabilities in the handling of personal data—especially within trusted institutions.
