A California borrower says the Irvine lender sat on a Social Security number breach for nearly two years
A California borrower is suing Impac Mortgage Holdings, claiming the Irvine-based lender waited nearly two years to disclose a data breach involving Social Security numbers.
The lawsuit, filed on April 27, 2026 in the US District Court for the Central District of California, puts a question in front of the mortgage industry that compliance teams have been turning over for some time now: how long is too long to tell borrowers their data has been exposed?
According to the filing, Impac noticed something wrong inside its computer systems on March 20, 2024 and opened an investigation. That review allegedly traced the activity to an unknown person who may have accessed certain files between February 21, 2024 and March 20, 2024. The lender then worked to figure out what data was involved and whose, the filing states, and concluded that names and Social Security numbers may have been caught up in the incident.
What happened next is the part the suit zeroes in on. Impac filed notice with the California Attorney General and started mailing letters to affected individuals on March 27, 2026 - close to two years after it first spotted the intrusion, according to the pleading.
The named plaintiff, Monica P. Espejo of Anaheim, California, is suing on behalf of a proposed nationwide class of everyone in the US whose information was caught up in the breach. The filing estimates the class runs into the thousands and puts the amount in controversy above $5 million under the Class Action Fairness Act. Impac, which operates out of 19800 MacArthur Blvd. in Irvine, is described in the suit as a residential mortgage lender that finances home purchases and refinances across the country.
The suit lays out five legal theories, including negligence and breach of implied contract, and alleges that Impac did not put reasonable safeguards around the borrower data it held, did not encrypt information on its networks, and did not move quickly enough to warn the people affected once it knew. It also leans on Section 5 of the Federal Trade Commission Act and FTC guidance directing companies to run intrusion detection systems and keep an immediate response plan ready.
For mortgage professionals, the timing piece is the part worth watching. Lenders routinely collect sensitive borrower information as a condition of originating a loan, and breach notification rules are stitched together from state laws and the Gramm-Leach-Bliley Safeguards framework. A case that treats a two-year gap as something a jury should weigh in on - rather than a normal byproduct of working through a forensic review - could nudge how plaintiffs' lawyers approach the next lender that finds itself in the same spot.
The allegations have not been tested in court. Impac has not yet filed a response, and no court has ruled on the claims. The company could not be reached for comment in time for publication.
