Multiple class actions filed after water company data breach

The number of people impacted by the data breach is unknown, but American Water reportedly serves more than 14 million.

(Credit: the_lightwriter/Adobe Stock)

A New Jersey utility company has been hit with nine class action lawsuits since it announced that it was the target of a data breach.

The suits were filed by Brown LLC of Jersey City; Shub & Johns of Conshohocken, Pennsylvania; Federman & Sherwood of Oklahoma City, Oklahoma; Ahdoot & Wolfson of Radnor, Pennsylvania; Kopelowitz Ostrow Ferguson Weiselberg Gilbert of Bala Cynwyd, Pennsylvania; Laukaitis Law of San Juan, Puerto Rico; Chimicles Schwartz Kriner & Donaldson-Smith of Haverford, Pennsylvania; Carella Byrne Cecchi Brody & Agnello of Roseland, New Jersey; and George Feldman McDonald of New York.

Defendant American Water Works Co. of Camden, New Jersey, announced in a U.S. Securities and Exchange Commission regulatory filing on Oct. 3 that its networks and systems were compromised by a cybersecurity incident.

On Oct. 7, American Water posted notice of the data breach on its website. The notice advised customers of the continued potential harm to customer data; steps it would take to handle the data breach, including shutting down the company’s online payment billing and payment portal systems; and work being done in the aftermath of the data breach.

But days later, on Oct. 11, the first lawsuit stemming from the announcement was filed.

The most recent suit landed Oct. 22.

The number of people impacted by the data breach is unknown, but American Water serves more than 14 million across 14 states, according to the suits. American Water is the largest regulated water and wastewater utility company in the United States, its website states.

It’s unknown who was behind the American Water cyberattack, but other water facilities have been breached by Russian, Chinese and Iranian-backed cyberattackers in 2023 and 2024, according to TechTarget.com.

American Water “failed to adequately protect plaintiff’s and class members’ PII [personal identifiable information]—and failed to even encrypt or redact this highly sensitive information,” according to one of the suits, Karwoski v. American Water Works. “This unencrypted, unredacted PII was compromised due to defendant’s negligent and/or careless acts and omissions and its utter failure to protect its customers’ sensitive data. Hackers targeted and obtained plaintiff’s and class members’ PII because of its value in exploiting and stealing the identities of plaintiff and class Members. The present and continuing risk to victims of the data breach will remain for their respective lifetimes.”

Another of the suits, Menichini v. American Water Works, alleged that the defendant breached its obligations to the plaintiff and class members and were otherwise negligent because they failed to audit, monitor or ensure the integrity of its data security practices.

According to that proposed class action, the company’s alleged unlawful conduct includes: failing to adequately vet its vendors to ensure they maintained sufficient data security practices; failing to maintain an adequate data security system that would reduce the risk of data breaches and cyberattacks; failing to adequately protect customers’ and other related individuals’ private personal information; and failing to properly monitor its own data security systems for existing intrusions.

Counsel for American Water has yet to enter appearances in any of the suits. And the company’s senior director of external communications, Ruben Rodriguez, said American Water is unable to comment on pending litigation.

The Complex Claims and Litigation Forum 2025 is where leaders from insurance and the law converge to network, share strategies and dissect urgent industry trends. Don’t miss your chance to Prevent, Prepare and Prevail when it comes to complex insurance litigation. Follow this link to register.

Related: