NOTICE TO LUERP AND 403(B) PLAN PARTICIPANTS
In early December 2024, Loyola University Chicago (“LUC”) was verbally notified by Legacy Professionals, LLP (“Legacy”) that Legacy had experienced a data breach. Legacy is the accounting firm that for many years has audited LUC’s historic defined benefit plan, which was closed to new participants over 20 years ago (“LUERP”), and LUC’s existing defined contribution retirement plan, currently administered by Transamerica (the “403(b) Plan”). Certain current and former employees of Loyola University Medical Center, St. Ignatius College Prep, Loyola Academy, Loyola Press, the USA Midwest Province of the Society of Jesus (or its affiliate, the Chicago Province of the Society of Jesus), and the Bellarmine Retreat Center also participate in the LUERP. The participants in the LUERP and 403(b) Plan who may have been affected by such data breach are referred to in this notice as the “Plan Participants.”
In response to such initial notice, LUC asked Legacy for additional information concerning the breach. In mid-December, Legacy wrote LUC and stated that on November 13, 2024, Legacy had been informed by a business partner that certain Legacy data had been posted on a “dark web” website maintained by a cybercriminal (such data, the “Legacy Data”). Legacy, working with outside legal counsel, then retained a third-party cybersecurity specialist to validate such report and assist in downloading the Legacy Data from the dark web site to try to determine the scope of the breach (the “Forensic Investigation”). Legacy also notified law enforcement authorities of the data breach. Legacy indicated it could not provide LUC with specific details at such time because the Forensic Investigation was continuing. Legacy said that if the investigation confirmed that personal information of Plan Participants was included in the Legacy Data, it would further advise LUC.
In January 2025, LUC reached out to Legacy for an update. In late January, Legacy advised LUC that it was close to finishing the Forensic Investigation and that it expected to have a confirmed list of all affected clients and individuals by January 31.
In mid-February, Legacy provided a written update to LUC. Legacy confirmed that the Forensic Investigation had determined that names, social security numbers, and certain other personal information of certain Plan Participants were included in the Legacy Data. Legacy has since told LUC that, based on Legacy’s data retention policy, such information would have included personal information of Plan Participants enrolled in one or both plans during the 2016 through 2023 time period.
In its mid-February update, Legacy said that it would be sending written notices to affected Plan Participants (the “Breach Notice(s)”). Such notices began to go out to Plan Participants in the last two weeks. In the Breach Notices, Legacy agrees to provide legally required notices to federal and state regulators, and to national consumer reporting agencies. Legacy also agrees to provide two years of free credit monitoring services to affected Plan Participants. Legacy also indicated that the data breach incident affected Legacy systems but did not impact any LUC systems. The mid-February update to LUC did not include a list of the Plan Participants impacted by the Legacy Data breach. Such list was provided to LUC on March 6, 2025.
Finally, the Breach Notices state that Legacy is not aware of any misuse of Plan Participant information related to the data breach. If you learn of any misuse of your personal information, or have other questions, please contact the Legacy dedicated hotline number at (877) 441-7153, Monday through Friday, from 6 a.m. to 6 p.m. Pacific Time, excluding U.S. Holidays. You may also write to Legacy Professionals, LLP at P.O. Box 7008, Westchester, IL 60154.