DISA Global Solutions Drug Testing Data Breach: Woods Lonergan PLLC Investigates Class Action – 3.3 Million Individuals' Sensitive Information Exposed on Dark Web

NEW YORK, NY – [February 27, 2025] – Woods Lonergan PLLC, a leading complex litigation firm, including class action lawsuits and data privacy litigation, is actively investigating a class action against DISA Global Solutions, a major nationwide provider of background screening, drug and alcohol testing, and compliance services, following a massive data breach that potentially exposed the sensitive information of over 3.3 million individuals. This breach potentially compromised a large amount of sensitive Personally Identifiable Information (PII) and Protected Health Information (PHI), of individuals including:

Full Names,
Social Security Numbers (SSNs),
Driver’s License Numbers,
State and Government ID Numbers,
Financial Account Information (including credit card numbers),
Contact Details (Including Phone numbers and Home Addresses),
Employment and Education History,
Criminal and Background Checks,
Drug and Alcohol Testing Data, and
Medical and Health-Related Data

If you or a family member received a notification from DISA or a notice from your current/former employer about the DISA data breach, your personal information may be at risk. Please call our law offices at (212) 684-2500 to speak with our Data Breach Litigation Team today.

Jump to a Topic

Details of the DISA Data Breach and Alleged Negligence

DISA Global Solutions is a full-service employee screening solutions provider based in Houston, Texas. Founded in 1986, DISA offers a comprehensive line of employee screening services, including drug and alcohol testing and background screening. DISA’s drug and alcohol testing services include pre-employment, random, post-accident, and reasonable suspicion testing.

Today, DISA works with more than 55,000 companies, (including 135 Fortune 500 companies), across a range of industries such as industrial, healthcare and life sciences, DOT and transportation, staffing and recruiting, franchises, retail, hospitality, and more.

DISA disclosed a “cyber incident” affecting a “limited portion” of its network on April 22, 2024. However, the company’s internal investigation revealed that unauthorized access began on February 9, 2024. Critically, DISA did not begin notifying affected individuals until February 21, 2025, representing a delay of 305 days between the discovery of the breach and notification.

DISA Breach Start Date: February 9, 2024
DISA Breach Discovery Date: April 22, 2024
DISA Notification Date: February 21, 2025
DISA Notification Delay: 305 days

This significant delay in notifying potentially millions of individuals is a major concern and a potential violation of numerous state data breach notification laws, which often require notification without unreasonable delay, and many within a much shorter time frame (e.g., 30-45 days, or even shorter in some states)

Disturbingly, in its data breach notification letter, DISA stated it “could not definitively conclude the specific data procured,” indicating a potential lack of adequate data logging and monitoring capabilities. This raises serious concerns about DISA’s data security practices. While DISA has reportedly paid a ransom to prevent the stolen data from being publicly released, this does not guarantee the data’s safety or prevent its misuse on the dark web.

“Background check companies are prime targets for cybercriminals because of their long-term storage of vast amounts of highly sensitive personal data – and this isn’t always as well protected as it should be,” said Cory Michal, CSO at security company AppOmni, in an article by IT Pro.[1] Michal further emphasized the vulnerability of these companies due to potentially weaker security controls compared to financial institutions.

This prolonged, undetected breach, and the unacceptable delay in notifying affected individuals, suggest potential negligence in DISA’s handling of sensitive information. This alleged negligence may constitute a violation of various state and federal privacy laws.

Industries Affected by the DISA Data Breach

DISA provides a wide range of employee screening and compliance services, making individuals employed in the following sectors particularly vulnerable to the effects of DISA’s data breach

Healthcare: Hospitals, clinics, assisted living facilities, nursing homes, and other healthcare providers rely on DISA for background checks, drug testing (pre-employment, random, post-accident, and reasonable suspicion), and occupational health screenings to ensure patient safety and regulatory compliance.
Transportation: This sector encompasses trucking companies, railroads, marine operations, airlines, and mass transit systems. DISA provides crucial DOT (Department of Transportation) compliance services, including drug and alcohol testing (pre-employment, random, post-accident, and reasonable suspicion), driver qualification files, and background checks.
Entertainment: Specifically, DISA’s DECS (DISA Entertainment Compliance Solutions) division caters to the motion picture, commercial, and digital media industries, providing DOT compliance services like driver qualification files and drug testing (pre-employment, random, post-accident, and reasonable suspicion).
Franchises: DISA offers tailored employee screening solutions for various franchise businesses, helping them maintain consistent hiring standards across locations.
Diversified Industrials & Processing: This includes companies involved in refining, chemical and petrochemical processing, power generation, midstream operations, LNG (liquefied natural gas), mining, and other related industrial processes. DISA’s services in this sector likely include background checks, drug testing (pre-employment, random, post-accident, and reasonable suspicion), and safety compliance.
Hospitality: This includes:
- Restaurants: From fast-food chains to fine dining establishments.
- Hotels: From front desk to housekeeping. 24 hr Staffing.
- Convenience Stores: 24 hr Staffing
- Recreational Facilities: Golf courses, Gyms, Leisure center, Theme parks. DISA helps ensure staff meet safety and service standards, likely including drug testing (pre-employment, random, post-accident, and reasonable suspicion) and background checks.
Retail: DISA provides employee screening and compliance services to a variety of retail businesses, helping them manage risk and maintain a safe environment.
Construction: DISA likely provides drug and alcohol testing (pre-employment, random, post-accident, and reasonable suspicion), and safety checks and safety compliance for construction companies.
Manufacturing: DISA offers a range of services for worker safety and compliance, likely including drug testing (pre-employment, random, post-accident, and reasonable suspicion) and background checks.
Energy: DISA’s comprehensive services cater to various worker safety and screenings, including drug testing (pre-employment, random, post-accident, and reasonable suspicion).

Potential Impact on Victims of the DISA Data Breach

The DISA data breach puts millions of individuals at significant risk of:

Identity Theft: Criminals can use stolen SSNs and other PII to open fraudulent accounts, apply for loans, and commit other forms of identity theft.
Financial Fraud: Stolen credit card numbers and financial account information can be used for unauthorized purchases and transactions.
Unemployment Insurance and Tax Fraud: SSNs can be used to file fraudulent unemployment claims or tax returns.
Synthetic Identity Fraud: Criminals can combine stolen data with fake information to create entirely new identities.
Phishing and Social Engineering Attacks: The stolen data can be used to craft targeted phishing emails or social engineering schemes to trick victims into revealing even more sensitive information.
Corporate Espionage/Insider Threats: Stolen employment history and background check details could be used for malicious purposes within organizations.
Privacy Violations and Blackmail: If medical or drug testing data was compromised, victims could face severe privacy violations and even blackmail.

“Storing SSNs for any purpose should require a higher level of security, and using SSNs to identify digital consumers is an obsolete data management practice,” said Jim Routh, chief trust officer at Saviynt, in a statement to InfoSecurity Magazine.[2]

Legal Claims in the DISA Data Breach

Woods Lonergan’s Data Breach attorneys are focused on potential violations of:

State Data Breach Notification Laws: Violations of relevant state laws requiring timely notification and adequate data security measures.
Negligence: DISA’s failure to adequately protect sensitive data and its failure to detect the breach promptly.
Breach of Contract: Potential breach of contract with clients who relied on DISA to protect their employees’ data.
Other Potential Claims: Depending on the specific circumstances and applicable state laws, additional claims may be possible.

“The lack of transparency regarding the root cause of this breach is deeply troubling,” said Jim Woods, Managing Partner of Woods Lonergan PLLC. DISA’s inability to definitively identify the compromised data, and the 305-day delay in notifying victims after the discovery, highlights a serious failure to protect highly sensitive information. We are committed to holding DISA accountable and securing compensation for those affected.”

Contact our Data Breach Litigation Team

Woods Lonergan PLLC is a leading New York-based litigation firm specializing in complex civil litigation, including class action data privacy and cybersecurity matters. Our law firm is currently representing plaintiffs in the 23andMe data Breach Lawsuit, wherein a proposed settlement of $30 million dollars is pending approval in the U.S. District Court for the Northern District of California. Woods Lonergan has a proven track record of successfully holding large corporations accountable for failing to protect highly sensitive consumer data.

[1] Emma Wollacott, Background check firm DISA breach exposes 3.3 million people’s sensitive data, IT Pro (May 31, 2024),
[2] Allessandra Mascellino, DISA Data Breach Affects Over 3.3 Million People, InfoSecurity Magazine(May 30,2024),

About the Author

Andreas E. Christou is an Associate Attorney with Woods Lonergan PLLC, having joined in 2020. Andreas received his J.D. from St. John’s University School of Law and his B.A. in Political Science from Pace University. Previously, Andreas worked at a Queens-based law firm where he litigated in state and federal courts and primarily handled consumer bankruptcy, real estate litigation and commercial litigation matters. At Woods Lonergan, Andreas handles a variety of state and federal matters including bankruptcy, real estate litigation, specifically focused on representing the boards of condominium and cooperative communities in New York City, FLSA actions, personal injury, and general commercial and corporate litigation. If you have any questions regarding this blog, you can book a consultation with Andreas here.