Philadelphia

Philly Law Giant Fooled By Fake IT Call, 57,000 Clients Left Exposed

AI Assisted Icon
Published on July 08, 2026
Philly Law Giant Fooled By Fake IT Call, 57,000 Clients Left ExposedSource: Wikipedia/Utah Reps, Public domain, via Wikimedia Commons

An alleged social-engineering scam at Philadelphia powerhouse law firm Blank Rome has spilled the personal data of tens of thousands of people, after a hacker convinced one of the firm’s attorneys to upload client files to an outside Google Drive, according to court filings.

Plaintiffs in two proposed class actions say 57,554 current and former clients had information taken, including Social Security numbers, passport and driver’s license numbers, plus medical and insurance records. The incident unfolded on May 21 and now has one of Philly’s biggest firms defending itself instead of its clients.

The suits were filed Monday in the U.S. District Court for the Eastern District of Pennsylvania by former Blank Rome clients in California. They accuse the firm of negligence, breach of contract and violations of consumer-protection laws, and ask a judge to certify a nationwide class, award damages and order steps to protect victims' identities, according to The Philadelphia Inquirer.

How The Fake IT Call Went Down

Blank Rome’s sample notice filed with the California Attorney General says an "unauthorized third party" phoned one of the firm’s attorneys on May 21, claimed to be from the firm’s IT department and persuaded the lawyer to upload files to an external Google Drive account, according to the California Attorney General.

The notice says the firm identified the incident within about two hours, took the attorney’s device offline, deleted the files from the external drive and opened an investigation with outside cybersecurity professionals. Blank Rome also notified law enforcement and began sending notices to potentially affected individuals on or about June 26, according to the California Attorney General.

What Hackers May Have Grabbed

Reporting by Bloomberg Law and the court complaints says the files included names and Social Security numbers and may also have contained addresses, dates of birth, driver’s license and passport numbers, financial-account and payment-card information, and medical and health-insurance details. The suits say the incident affected 57,554 former and current clients.

Legal Fallout For A Major Philly Firm

Two nearly identical proposed class actions - Delapaz v. Blank Rome and Santana v. Blank Rome - were filed in the Eastern District of Pennsylvania seeking class certification, compensatory and punitive damages, and injunctive relief, according to Law360.

Counsel for the plaintiffs say the suits assert injuries ranging from invasion of privacy and out-of-pocket costs to an increased risk of identity theft and emotional distress. In other words, they are alleging this was not just an embarrassing tech slipup, but a breach with real-world consequences for clients who trusted the firm with their most sensitive data.

Legal Implications Beyond One Law Firm

The complaints allege Blank Rome failed to follow industry cybersecurity standards and did not comply with safeguards required by federal medical-privacy rules, with additional claims under state privacy statutes and health-data protections, Bloomberg Law reports.

If a court certifies a class, the litigation could put significant financial and reputational pressure on the firm and help shape how courts treat social-engineering incidents at professional-service outfits that routinely handle extremely sensitive information.

Blank Rome’s Response And What Victims Get

Blank Rome has said the incident was limited to a single attorney and that its wider network was never breached. The firm has told clients it spotted the issue quickly and deleted the files, The Philadelphia Inquirer reports.

The firm’s California notice says it has arranged complimentary credit-monitoring and identity-protection services through Epiq, provides a dedicated support line and lists its Philadelphia office contact information for questions, according to the California Attorney General.

Anyone who received a notice should read the firm’s packet for enrollment instructions, keep a close eye on bank and credit accounts, and consider placing fraud alerts or credit freezes with the major credit bureaus. The lawsuits are still in their early stages, and affected individuals who want to follow what happens next can track the Delapaz and Santana dockets in the Eastern District of Pennsylvania.