Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherBrowse by ChannelAbout the NetworkJoin the NetworkProductsSub-MenuProducts OverviewBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAbout UsContactSubscribeSupport
Book a Demo
Search
Close

Adidas and UChicago Sued Over Data Breaches Caused by Third-Party Vendors

By Kathryn Rattigan on June 5, 2025
Email this postTweet this postLike this postShare this post on LinkedIn

What do a global sportswear giant and a prestigious medical center have in common? Apparently, a shared struggle defending data breach lawsuits for breaches of sensitive personal information caused by third-party vendors. 

This week, Adidas America and the University of Chicago Medical Center found themselves on the receiving end of data breach lawsuits. The plaintiffs say both organizations failed to keep their personal info safe, and now want the courts to step in. According to the complaints, Adidas customer Karim Khowaja and UChicago patients Alta Young and Judy Rintala are calling out the companies for what they claim were lax data protection practices that led to their sensitive personal information falling into the wrong hands. Their key argument? The organizations should have known—and done—better.

Khowaja’s lawsuit alleges that Adidas provided a notification of the data breach that left customers with more questions than answers. Khowaja claims that Adidas did not identify the third-party vendor involved, what data was accessed, or when the breach occurred. Further, Khowaja claims this is not Adidas’ first data security blunder—he points back to a 2018 breach as proof the company should have been more vigilant.

“The more accurate pieces of data an identity thief obtains about a person, the easier it is… to take on the victim’s identity,” Khowaja warns in his complaint.

The same allegations are being directed at the University of Chicago Medical Center. According to Young and Rintala, the hospital didn’t discover the breach until ten months after suspicious activity was first detected—by its financial services vendor, National Recovery Services LLC (NRS). Young’s lawsuit claims the breach affected 38,000 patients, and Rintala’s goes further, alleging that the hospital didn’t encrypt or redact any of the compromised data—leaving names, birth dates, and other sensitive information widely available to cybercriminals. “That ‘utter failure’ will present risks to patients for their respective lifetimes,” Rintala claims.

All three plaintiffs are looking to represent classes of similarly affected individuals and are asking for damages and injunctive relief. Each of the plaintiffs are also emphasizing the “real-world” costs of these breaches: time, money, and the emotional stress of trying to prevent identity theft or fraud.

These lawsuits highlight a growing trend: courts being asked to hold companies accountable for third-party vendor breaches. It raises an important question: How far does the responsibility go when it comes to data security? It may be  as simple as: if you use a third-party vendor who has access to or maintains sensitive personal information, there is a known risk. Here, a “known risk” refers to a security vulnerability or threat that a reasonable organization should have been aware of—either through industry standards, past incidents, or internal warnings—and failed to adequately address.

In the UChicago case, Young argues that the medical center knew about the risks of working with external vendors like NRS, especially since the kind of breach that occurred is a common method of attack in healthcare data security:

  • Healthcare is a top target for hackers due to the volume of sensitive personal and financial data. This isn’t new—HIPAA guidance and cybersecurity advisories have warned about it for years.
  • NRS discovered “suspicious activity” ten months prior to informing UChicago.
  • The plaintiffs say this delay, paired with the lack of encryption or redaction, shows UChicago failed to properly vet or monitor its vendor—even though outsourcing doesn’t relieve them of responsibility under HIPAA and other regulations.

In Khowaja’s complaint, he makes a similar argument: Adidas previously experienced a breach. So, when it happened again—this time via a third-party customer service provider—he says the company can’t plead ignorance:

  • Adidas “knew or should have known” that outsourcing customer service introduced a risk of exposure.
  • Despite that, they allegedly didn’t put in the necessary safeguards to protect customer data or notify affected users with enough information to respond.

Again, the argument isn’t just about the breach itself—it’s about Adidas’ failure to anticipate a risk they’d already seen firsthand.

If the courts agree that failure to safeguard against a “known risk” is enough to trigger liability, we could see more plaintiffs lining up in similar cases across industries for incidents caused by third-party vendors.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Read more about Kathryn RattiganEmail
Show more Show less
  • Posted in:
    Privacy & Data Security
  • Blog:
    Data Privacy + Cybersecurity Insider
  • Organization:
    Robinson & Cole LLP
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • Resource Center
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center
  • Blogging 101

New to the Network

  • Tennessee Insurance Litigation Blog
  • Claims & Sustains
  • New Jersey Restraining Order Lawyers
  • New Jersey Gun Lawyers
  • Blog of Reason
Copyright © 2025, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo