The Management Association (MRA) is facing a proposed class-action lawsuit after a data breach allegedly compromised the sensitive personal information of thousands. According to court filings, a Wisconsin worker sued the nonprofit after her personal and health-related data was exposed and potentially ended up on the dark web. She claims her information was shared with MRA through her employer, who is or was a member of the organization. The lawsuit alleges MRA failed to follow basic cybersecurity standards and waited over nine months before notifying affected individuals about the breach. A federal district court recently ruled that the lawsuit can proceed.
This case is part of a growing trend where companies — and especially third-party service providers — are being held accountable for not adequately protecting personal data. MRA stores highly sensitive employee data for its member organizations, so when its systems were hacked, it impacted over 3,400 people. The exposed data reportedly included names, birthdates, bank account details, medical info, and Social Security numbers. While MRA did eventually offer one year of credit monitoring and identity protection services, critics argue the damage was already done.
The broader issue here is the rising number of cyberattacks and the growing risks for businesses that handle employee data, especially through outsourced services. In 2023 alone, more than 134 million people were affected by large data breaches in the healthcare sector — a sharp rise from the previous year. And just recently, DISA Global Solutions, a background screening provider, reported a breach that impacted more than 3.3 million people.
At the heart of these lawsuits is the argument that companies have a responsibility to protect the data they collect — and when they don’t, they can be liable. The FTC has long warned businesses to be selective about the data they collect, limit access, and build strong internal protections. That includes ensuring only those who truly need access have it, constantly monitoring for intrusions, and properly vetting third-party vendors. Contracts with those vendors should include clear security expectations.
As the lawsuit moves forward, MRA must now answer to claims of negligence, violation of federal guidance, and unjust enrichment. It’s a stark reminder that safeguarding data isn’t optional anymore — it’s part of doing business. For companies, the takeaway is simple: treat data like gold, or risk paying the price.
