An unauthorized party accessed systems belonging to Monroe University between the dates of Dec. 9 and Dec. 23, 2024, copying files on the network. On Sep. 30, 2025, the university determined these files contained personal data “for certain individuals.” 

Potentially affected data includes: 

• Names
• Birth dates 
• Driver’s license numbers/passport numbers
• Medical/health insurance data 
• Social Security numbers 
• Government identification numbers 
• Financial account data 
• Electronic accounts/email usernames and passwords 
• Student information 

Mail notices were sent to impacted individuals on Jan. 2, 2026. The university’s statement on the subject asserts that it has “no evidence that information involved in this incident has been used for identity theft or fraud.” Although the university encourages individuals to monitor their credit, a report from The HIPAA Journal states that “credit monitoring services do not appear to have been offered.” 

A class action lawsuit has been filed against the university, asserting it failed “to safeguard sensitive personal and health information belonging to hundreds of thousands of students and applicants.” The complaint, filed by Plaintiff Rosemary Maysonet, claims the university didn’t enact reasonable data security measures and thus violated federal and state laws. 

Additionally, the lawsuit argues that the university didn’t notify affected individuals in a timely manner, as the mail notices were sent more than a year after the incident and months after the investigations determined the files contained personal data. The plaintiff seeks out-of-pocket expense reimbursement, compensatory damages, credit monitoring services, attorney fees, and improvements to the university’s data security measures.