Cardinal Data Breach Lawsuit Investigation
Received a June 2025 breach notice from Cardinal?
Dapeer Law, P.A. is investigating a potential class action against Cardinal Services, Inc., Cardinal Employer Organization, and Preferred Employer Solutions (collectively, Cardinal), a Michigan-based professional employer organization, on behalf of current and former employees and customers whose personal information may have been exposed in the June 2025 cybersecurity incident.
Who may qualify
You may be eligible to participate in a class action if any of the following applies:
- You received a data breach notification letter from Cardinal dated June 2025.
- Your letter offered enrollment in free Epiq Privacy Solutions ID identity-protection services.
- You had personal information held by Cardinal in its capacity as a professional employer organization providing HR, payroll, or employment services.
- No proof of harm required to consult with counsel. You do not need to have already suffered identity theft to explore your legal options.
- Excluded: individuals who did not receive a breach notice and whose information was not involved in the incident.
Not sure if you qualify?
Send us your notice, we'll confirm your eligibility at no cost.
What happened
Cardinal Services, Inc., Cardinal Employer Organization, and Preferred Employer Solutions, a Grand Rapids, Michigan-based professional employer organization (PEO), reported to the Maine Attorney General on May 20, 2026, that malicious actors gained unauthorized access to its computer systems on two separate occasions in 2025. According to the Maine filing, the first intrusion window ran from June 25 to June 26, 2025. Cardinal states it detected suspicious activity on June 30, 2025, and immediately engaged outside cybersecurity professionals to investigate and contain the incident. A second unauthorized access event was detected on August 8, 2025, at which point additional containment measures were implemented.
Cardinal's forensic and document review concluded on May 12, 2026, when the company confirmed that personal information stored in the affected systems had been exposed. Notification letters were mailed to affected individuals and the breach was disclosed to the Maine Attorney General on May 20, 2026, approximately 11 months after the initial discovery. The public filing identifies full names as the category of data involved in the incident. No additional data elements were listed in the Maine notice, and Cardinal states it has no evidence of misuse stemming from the breach at this time. Cardinal is offering complimentary identity-protection services through Epiq Privacy Solutions ID to affected individuals.
As a professional employer organization providing HR, payroll, and employment solutions to businesses across the United States since 1984, Cardinal may hold a broader range of personal and employment-related data for current and former employees and client-company workers than the public notice currently reflects. The roughly 11-month gap between Cardinal's initial detection of suspicious activity and the mailing of notification letters is a procedural factor that may be significant under state data-breach notification statutes in several jurisdictions.
What to do if you received a letter
Keep your notice letter
Do not discard it. Your letter contains the enrollment code for the complimentary Epiq Privacy Solutions ID service and is important evidence if you decide to participate in a lawsuit.
Enroll in the free Epiq Privacy Solutions ID service
Follow the instructions in your letter to activate the complimentary Epiq Privacy Solutions ID identity-protection service before any stated deadline. Accepting this benefit does not waive your right to pursue legal action.
Place a fraud alert or credit freeze
Contact Equifax, Experian, and TransUnion to place a fraud alert or freeze on your file. Request a free weekly credit report from AnnualCreditReport.com, and use the FTC's IdentityTheft.gov recovery guide.
Speak with a data breach attorney
Consultations with Dapeer Law are free and confidential. We'll review your notice, explain your options, and advise whether you may be eligible to join a class action.
Submit your notice for a free review
Two minutes online. A licensed attorney reviews every submission.
Breach timeline
Compensation you may be entitled to
Out-of-pocket expenses
Credit freezes, identity restoration services, and other costs incurred responding to the breach.
Time spent monitoring
Hours spent reviewing accounts, disputing fraudulent charges, and dealing with identity theft issues.
Identity theft & fraud losses
Unreimbursed funds stolen from accounts, unauthorized credit lines, or tax refund fraud tied to the breach.
Statutory damages
Certain state data breach and consumer protection statutes provide for fixed damages regardless of actual loss.
Injunctive relief
Court orders requiring Cardinal to implement stronger data security practices going forward.
Compensation categories depend on applicable state law, the types of data exposed, and documented losses. No recovery is guaranteed.
Common questions
I received a data breach letter from Cardinal. What should I do? +
Keep your notification letter, as it contains the activation code for the complimentary Epiq Privacy Solutions ID service. Enroll in that service before any stated deadline. Consider placing a fraud alert or credit freeze with the major credit bureaus, and review your financial and insurance accounts for unfamiliar activity. Because Cardinal is a professional employer organization handling payroll and HR functions, affected individuals may also want to monitor employment-related accounts and benefit statements. Contact a data breach attorney to understand any legal claims you may have.
Am I eligible to join a class action against Cardinal? +
You may be eligible if you received a notification letter from Cardinal and your personal information was contained in the affected systems. Factors that may affect eligibility include the state in which you reside, the specific categories of data that were exposed, and any documented harm or losses you have experienced. An attorney can help confirm your eligibility and potential claims during a free consultation.
How much money could I receive from a class action lawsuit? +
Data breach class action recoveries vary significantly. Settlements typically range from a few hundred dollars for basic out-of-pocket losses to several thousand dollars for documented identity theft, with class size, damages, and negotiation all affecting the final amount. No payout is guaranteed, and this investigation has not yet resulted in a settlement.
What personal information was exposed in the breach? +
The Maine Attorney General filing states that full names were among the data present in the systems that were accessed. No additional categories were listed in the public notice. Because Cardinal operates as a professional employer organization handling HR, payroll, and employment functions, it is possible that a broader range of personal data was involved. Check your individual notification letter for any data categories specific to your record.
Did Cardinal offer free credit monitoring? +
Yes. Cardinal is offering complimentary identity-protection services through Epiq Privacy Solutions ID. Your notification letter includes enrollment instructions. The public filing does not specify the duration of coverage or the credit bureaus monitored. Enrolling in this service does not waive your right to participate in any legal action.
How many people were affected by the Cardinal breach? +
The total number of individuals affected was not publicly disclosed in Cardinal's Maine Attorney General filing. This page will be updated as additional information becomes available.
Is there a deadline to take legal action? +
Yes. Statutes of limitations for data breach claims vary by state and legal theory, typically ranging from one to six years. Waiting can permanently bar your claim. Contact us as soon as possible for a free evaluation.
How do I get a copy of the official breach notice? +
The breach notice filed with the Maine Attorney General is publicly available through the Maine AG Data Breach Notifications Portal. You can also contact Dapeer Law for a free consultation, during which we can help you obtain and review the applicable notice.
Sources & references
- Official breach notice filing · Maine Attorney General, Data Breach Notifications Portal
- Company · Cardinal Services, Inc., Cardinal Employer Organization, and Preferred Employer Solutions (cardinalservices.com)
- Credit bureau freezes · Equifax · Experian · TransUnion
- Free weekly credit reports · AnnualCreditReport.com
- Identity theft recovery guide · FTC IdentityTheft.gov
Don't let the deadline decide for you. Submit your claim today.
You only have a limited window to act. Our team will review your notice, explain your options, and tell you whether you may be eligible to recover compensation, at no cost to you.
