Two separate lawsuits filed in federal court in Connecticut accuse East Hartford-based Goodwin University of failing to adequately protect personal and health information of students, faculty and others that was exposed during a cyberattack in December.
The lawsuits, filed four days apart this month in U.S. District Court in Hartford, seek class-action status and claim the private university’s data security failures allowed hackers to access “highly sensitive information” belonging to thousands of students, prospective students, faculty, donors and others connected to the school.
According to the school’s website, Goodwin, located at 1 Riverside Dr. in East Hartford, enrolled just over 3,000 full- and part-time students in 2025, 95% of whom are based in Connecticut. It has 83 full-time faculty.
In response to a request for comment, a Goodwin spokesperson said the university does not comment on pending litigation.
The first lawsuit, filed May 8 by Indiana resident Kimberly Hamlin, states that Goodwin officials discovered a disruption to the school’s IT network on Dec. 4 and later determined that files containing sensitive data may have been acquired without authorization.
The second lawsuit, filed May 12 by Maryland resident Eseosa Ufumwen, similarly claims that an intruder gained unauthorized access to Goodwin’s database on or about Dec. 4.
According to the complaints, the compromised information included names, Social Security numbers, driver’s license and state ID numbers, U.S. Citizenship and Immigration Services (USCIS) alien registration numbers, biometric information and personal health information.
Both lawsuits also claim the university waited until about April 16, or more than four months after discovering the incident, to notify affected individuals.
The Hamlin lawsuit claims that Goodwin failed to comply with cybersecurity standards and guidance issued by agencies that include the Federal Trade Commission, the FBI and federal health privacy regulators.
The data breach does not appear to have been reported to the U.S. Department of Health and Human Services Office of Civil Rights, which maintains an online list of data breaches nationwide. The website, which provides information about each data breach and the number of people affected, does not include a listing for the Goodwin University incident.
Each federal lawsuit argues that the exposed personal information could be used for identity theft and fraud, and each seeks monetary damages for affected individuals.
The Ufumwen complaint also seeks court-ordered cybersecurity reforms, including third-party security audits, mandatory employee training, encryption requirements and 10 years of independent monitoring.
The cases were filed by separate law firms and have been assigned to different federal judges.
