What do a global sportswear giant, and a prestigious medical center have in common? Apparently, a shared struggle defending data breach lawsuits for breaches of sensitive personal information caused by third-party vendors. 

This week, Adidas America and the University of Chicago Medical Center found themselves on the receiving end of data breach lawsuits. The plaintiffs say both organizations failed to keep their personal info safe, and now want the courts to step in. According to the complaints, Adidas customer Karim Khowaja and UChicago patients Alta Young and Judy Rintala are calling out the companies for what they claim were lax data protection practices that led to their sensitive personal information falling into the wrong hands. Their key argument? The organizations should have known—and done—better.

Khowaja’s lawsuit alleges that Adidas provided a notification of the data breach that left customers with more questions than answers. Khowaja claims that Adidas did not identify the third-party vendor involved, what data was accessed, or when the breach occurred. Further, Khowaja claims this is not Adidas’ first data security blunder—he points back to a 2018 breach as proof the company should have been more vigilant.

“The more accurate pieces of data an identity thief obtains about a person, the easier it is… to take on the victim’s identity,” Khowaja warns in his complaint.

The same allegations are being directed at the University of Chicago Medical Center. According to Young and Rintala, the hospital didn’t discover the breach until ten months after suspicious activity was first detected—by its financial services vendor, National Recovery Services LLC (NRS). Young’s lawsuit claims the breach affected 38,000 patients, and Rintala’s goes further, alleging that the hospital didn’t encrypt or redact any of the compromised data—leaving names, birth dates, and other sensitive information widely available to cybercriminals. “That ‘utter failure’ will present risks to patients for their respective lifetimes,” Rintala claims.

All three plaintiffs are looking to represent classes of similarly affected individuals and are asking for damages and injunctive relief. Each of the plaintiffs are also emphasizing the “real-world” costs of these breaches: time, money, and the emotional stress of trying to prevent identity theft or fraud.

These lawsuits highlight a growing trend: courts being asked to hold companies accountable for third-party vendor breaches. It raises an important question: How far does the responsibility go when it comes to data security? It may be as simple as: if you use a third-party vendor who has access to or maintains sensitive personal information, there is a known risk. Here, a “known risk” refers to a security vulnerability or threat that a reasonable organization should have been aware of—either through industry standards, past incidents, or internal warnings—and failed to adequately address.

In the UChicago case, Young argues that the medical center knew about the risks of working with external vendors like NRS, especially since the kind of breach that occurred is a common method of attack in healthcare data security:

• Healthcare is a top target for hackers due to the volume of sensitive personal and financial data. This isn’t new—HIPAA guidance and cybersecurity advisories have warned about it for years.
• NRS discovered “suspicious activity” ten months prior to informing UChicago.
• The plaintiffs say this delay, paired with the lack of encryption or redaction, shows UChicago failed to properly vet or monitor its vendor—even though outsourcing doesn’t relieve them of responsibility under HIPAA and other regulations.

In Khowaja’s complaint, he makes a similar argument: Adidas previously experienced a breach. So, when it happened again—this time via a third-party customer service provider—he says the company can’t plead ignorance:

• Adidas “knew or should have known” that outsourcing customer service introduced a risk of exposure.
• Despite that, they allegedly didn’t put in the necessary safeguards to protect customer data or notify affected users with enough information to respond.

Again, the argument isn’t just about the breach itself—it’s about Adidas’ failure to anticipate a risk they’d already seen firsthand.

If the courts agree that failure to safeguard against a “known risk” is enough to trigger liability, we could see more plaintiffs lining up in similar cases across industries for incidents caused by third-party vendors.