New claims could reshape industry standards
Union Home Mortgage is under fire in federal court after a sweeping data breach allegedly exposed thousands of clients’ most sensitive details to cybercriminals.
A class action complaint filed in the United States District Court for the Northern District of Ohio accuses Union Home Mortgage Corporation—a lender that operates in 48 states and the District of Columbia with approximately $5 billion in annual lending volume—of failing to protect the personal information it collects from clients. The lawsuit, brought by Ohio resident Victor DiMarco on behalf of himself and others similarly situated, claims the company’s security lapses led to a breach that compromised names, Social Security numbers, government-issued IDs, and dates of birth.
According to the complaint, Union Home Mortgage first detected the breach on June 25, 2025. By August 26, 2025, the company learned that customers’ personal information may have been accessed without authorization. On or about September 15, 2025, the company sent notices to affected individuals, including DiMarco, informing them that their private information may have been exposed as part of the breach.
The scale of the breach is detailed in the complaint. Union Home Mortgage reported to the Washington State Office of the Attorney General that 1,650 Washington residents were affected, and to the Texas Office of the Attorney General that 24,160 Texans were impacted. The complaint states that Union Home Mortgage has not explained why it was unable to prevent the breach, which security features failed, how unauthorized actors gained access, how the company failed to detect the intrusions, or how it intends to avoid similar incidents in the future.
DiMarco and the proposed class allege that Union Home Mortgage’s representations about taking clients’ financial privacy “very seriously” were not matched by its actual security measures. The complaint outlines alleged harms suffered by the plaintiff and class members, including loss of value of personal information, loss of time dealing with the breach, imminent threat and actual theft of personal information, financial loss from purchasing protective measures, and other quantifiable harm stemming from the breach.
The legal claims asserted are negligence, negligence per se, breach of implied contract, and unjust enrichment. The complaint alleges that Union Home Mortgage failed to adhere to commonly accepted security standards and Federal Trade Commission guidance, and that the harm caused by the breach includes invasion of privacy, theft of private information, lost or diminished value of private information, lost time and opportunity costs, and the continued risk to their private information.
For mortgage professionals, the case highlights the importance of robust data security practices and the potential legal, financial, and reputational consequences of a breach. The complaint seeks damages, non-monetary relief, and injunctive relief, including requirements for stronger data security systems and ongoing credit monitoring for affected individuals.
As this case moves forward, it will be closely watched by mortgage industry participants for its implications on compliance, risk management, and client trust. All facts, names, dates, and figures in this article are drawn directly from the filed complaint.
