The Fannie Mae-approved lender allegedly delayed breach notification by over 260 days
A Fannie Mae and Freddie Mac-approved lender is being sued over a data breach that allegedly left borrowers' Social Security numbers unencrypted.
The class action, filed March 23, 2026, in the United States District Court for the Eastern District of New York, names US Mortgage Corporation as the defendant. The company, founded in 1994 and headquartered in Melville, New York, specializes in VA, FHA, USDA, and conventional loans, is licensed in 49 states and Washington, D.C., and has provided over $18 billion in loans to more than 57,000 homeowners.
According to the filing, cybercriminals accessed a portion of the company's network from May 13 to May 14, 2025, and made off with names, birthdates, contact information, Social Security numbers, financial account details including mortgage account information, and limited medical information. The company detected suspicious activity on May 14, 2025, and engaged third-party cybersecurity experts. An investigation confirmed the unauthorized access in July 2025, and a data review was completed by October 2025.
The timeline is where the case takes a sharper turn. The breach was not publicly disclosed until approximately March 2026 — over nine months after detection. The lawsuit alleges this violated New York law, which requires notification within 30 days of discovery. The filing puts the delay at more than 260 days beyond that statutory deadline.
The allegations extend well beyond the notification gap. The lawsuit claims the company stored sensitive data without encryption, failed to implement multifactor authentication, lacked adequate network monitoring, and did not sufficiently train employees on cybersecurity threats. It also alleges the company fell short of its obligations under the Gramm-Leach-Bliley Act's Safeguards Rule, which requires financial institutions to maintain a comprehensive security program to protect customer information.
The company's own privacy policy, cited in the filing, assured customers that sensitive data such as Social Security numbers was protected by encryption and that security systems were regularly audited. The lawsuit contends those assurances did not hold up.
The case was brought by Richard Bernich, a former employee and a resident of Wantagh, New York, on behalf of all individuals whose information may have been compromised. The filing references thousands of affected individuals and places the amount in controversy above $5 million. A jury trial has been demanded.
It is worth noting that the case is in its earliest stage. No class has been certified, no court ruling has been issued, and the allegations have not been proven or adjudicated.
Still, the broader context makes this case hard to ignore. The filing cites data showing that financial services was the single most targeted sector for data breaches in 2024, with over 23 percent of all compromises nationwide hitting the industry. For mortgage professionals, the takeaway is straightforward: the sensitive data sitting in every loan file is exactly what cybercriminals are hunting, and the legal and regulatory consequences of leaving it unprotected are growing steeper by the year.
