Rhode Island's leading workers' comp insurer is facing a proposed class action over a January data breach that allegedly exposed claimants' Social Security numbers and medical records.
Kevin Malloy filed the suit against The Beacon Mutual Insurance Company on May 25, 2026, in the US District Court for the District of Rhode Island.
The complaint says Beacon learned of unauthorized activity on its network on January 14, 2026, and an investigation determined an outsider had been inside its files for the previous week, copying records as they went. Beacon sent notice letters on May 18, 2026 — four months later, according to the filing.
The data at stake is the kind that makes claims professionals wince: names, Social Security numbers, driver's license numbers, financial account information, health insurance details, and medical treatment information.
Malloy's argument is that an insurer holding this much sensitive policyholder and claimant data owed a duty to lock it down, and didn't. The complaint says Beacon kept the information unencrypted and failed to use reasonable security procedures matched to its sensitivity. Beacon, per the filing, admits unauthorized individuals got into its system but has said little about how.
To anchor the claim, Malloy points to widely accepted cybersecurity frameworks. The filing alleges Beacon fell short of the minimum standards of the NIST Cybersecurity Framework Version 1.1, listing specific controls covering access management, awareness training, data security, detection, and response. It also references the Center for Internet Security's Critical Security Controls.
Federal Trade Commission guidance also features. The complaint cites the FTC's 2016 publication "Protecting Personal Information: A Guide for Business," which tells companies to inventory data they hold, dispose of what they no longer need, encrypt sensitive information on their networks, understand their vulnerabilities, and put policies in place to fix problems. Malloy says Beacon's alleged failure to do these things is an unfair business practice barred by Section 5 of the FTC Act.
A separate section of the filing alleges Beacon violated HIPAA's privacy rules by failing to safeguard electronic protected health information.
The causes of action are negligence, negligence per se, unjust enrichment, breach of implied contract, and breach of confidence. Malloy is asking for class certification, damages, statutory penalties to the extent available, restitution, attorneys' fees, and a jury trial. The complaint says the amount in controversy exceeds $5 million and the proposed class includes more than 100 members.
The allegations have not been tested in court. Beacon has not yet filed a response, and no court has ruled.
