A major class action filed Sept. 15 accuses Farmers Insurance of failing to protect over a million customers’ personal data in a recent breach.
The lawsuit, brought by Arizona resident Arlene Ozburn in the U.S. District Court for the Central District of California, puts the spotlight on data security practices at one of the nation’s largest insurance providers. According to the complaint, Farmers Group, Inc. and Farmers Insurance Exchange were alerted by a third-party vendor on May 30 to suspicious activity involving unauthorized access to a database containing customer information. After conducting an internal investigation, which concluded on July 24, Farmers determined that sensitive personal information had been accessed and acquired by an unauthorized actor.
The data exposed in the breach included names, addresses, dates of birth, driver’s license numbers, and the last four digits of Social Security numbers belonging to policyholders. The complaint states that the breach affected at least 1,111,386 policyholders. Farmers began notifying those impacted by the breach on or about August 22, 2025, nearly a month after the investigation was completed.
Ozburn’s complaint alleges that Farmers failed to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect the personally identifiable information (PII) entrusted to them by policyholders. The lawsuit claims that, despite having numerous statutory, regulatory, contractual, and common law obligations to keep customer data confidential and secure, Farmers did not take sufficient steps to prevent unauthorized access. The delay in notifying affected individuals is also highlighted in the complaint, with the plaintiff arguing that the company’s response left customers at increased risk of identity theft and fraud.
The lawsuit seeks damages and injunctive relief, including improvements to Farmers’ data security systems and the provision of long-term credit monitoring services for those affected. Ozburn and the proposed class allege that they have suffered actual and concrete injuries as a direct result of the breach, such as financial costs incurred to mitigate the risk of identity theft, loss of time and productivity, and the continued risk to their sensitive information.
The case centers on the general responsibility of insurance companies to safeguard customer information and comply with industry standards and regulatory requirements. The complaint references federal guidelines and industry best practices, arguing that Farmers’ alleged failure to follow these standards contributed to the breach and the resulting harm.
At this stage, the case remains at the complaint phase, with no final decision issued by the court. The outcome will be closely watched by insurance professionals, as it underscores the growing importance of robust data security measures in the industry and the potential consequences when those measures fall short. With cyber threats continuing to rise, the insurance sector faces increasing pressure to ensure customer data is protected- not only to maintain trust, but also to avoid costly litigation and regulatory scrutiny.
