Fidelity Investments agreed to pay $2.5 million to settle a class action lawsuit filed by customers affected by a data breach that compromised the personal information of over 155,000 account holders. The U.S. District Court for the District of Massachusetts granted preliminary approval to the settlement in March 2026, with U.S. District Judge Leo T. Sorokin overseeing the case.
Class members will receive compensation ranging from approximately $100 in pro rata cash payments to up to $5,000 for documented losses tied to the breach, plus two years of complimentary credit monitoring and identity theft protection services. The settlement stems from a breach discovered by Fidelity’s Life Insurance Company division on August 17-19, 2024, affecting customer data stored on the company’s systems. Although the breach was detected in mid-August, Fidelity did not notify affected customers until October 10, 2024—a delay of approximately seven to eight weeks. The extended notification period became a focal point in the litigation, with the settlement now requiring Fidelity to compensate victims for the extended exposure and any resulting financial or identity theft harm.
Table of Contents
- What Data Did Fidelity Lose in the 2024 Breach?
- Settlement Compensation and Payout Breakdown
- Credit Monitoring and Identity Theft Insurance Coverage
- Timeline for Settlement Approval and Distributions
- The Problem of Delayed Notification
- California Privacy Law Protections and the Additional $50 Payment
- What This Settlement Means for Data Breach Accountability
What Data Did Fidelity Lose in the 2024 Breach?
The Fidelity data breach exposed sensitive personal and financial information for 155,000 customers. The compromised data included full names, Social Security numbers, financial account information, and driver’s license information—a combination of details that creates significant identity theft risk. An individual with access to all four of these data points can potentially open fraudulent accounts, apply for credit, file tax returns, or commit other forms of identity fraud with relative ease.
The financial account information is particularly sensitive, as it gives criminals direct insight into where victims hold money and assets. Because the breach affected Fidelity’s Life Insurance Company division specifically, the majority of victims were likely customers with life insurance policies, annuities, or other insurance products through Fidelity. However, some customers may have had multiple accounts across Fidelity’s broader ecosystem, meaning a single breach notification could have affected multiple relationships with the company.
Settlement Compensation and Payout Breakdown
The $2.5 million settlement fund is divided among three compensation mechanisms. First, all eligible class members receive an estimated pro rata cash payment of approximately $100, which is a baseline payment distributed to every class member regardless of documented losses. Second, class members who can demonstrate specific out-of-pocket losses resulting from the breach—such as fraudulent charges, credit monitoring service costs, or identity theft recovery expenses—can submit claims for reimbursement up to $5,000. Third, California residents included in a separate subclass receive an additional $50 payment under the California Consumer Privacy Act, reflecting the stronger privacy protections that state provides to residents.
However, the actual settlement payout depends on several variables. If many class members file high-value claims, the per-person pro rata payment may decrease because the fund must be stretched further. Conversely, if few members claim documented losses, others receive more from the baseline fund. Additionally, the settlement must first receive final approval from the court and survive any appeal period before distributions begin, which means eligible victims will not receive any payment until July 2026 at the earliest.
Credit Monitoring and Identity Theft Insurance Coverage
Beyond cash compensation, Fidelity is providing two years of complimentary credit monitoring and identity theft protection services to all affected customers. This benefit is valuable because it allows victims to detect unauthorized accounts or fraudulent activity quickly. For example, if a thief opens a credit card or takes out a car loan in a victim’s name, the monitoring service should alert the victim within days, allowing them to dispute the fraudulent accounts before significant damage occurs.
The two-year period covers the timeframe when risk is typically highest, though identity theft can occur years after a breach. Additionally, the settlement includes up to $1 million in fraud and identity theft insurance coverage. This insurance reimburses class members for costs associated with restoring their identity, including legal fees, lost wages due to time spent resolving identity theft, and costs of correcting credit reports or replacing documents. This coverage is broader than the direct cash claim process and covers losses that might not be easily documented with receipts or invoices.
Timeline for Settlement Approval and Distributions
The preliminary approval hearing occurred in March 2026, meaning the court preliminarily found the settlement to be fair, reasonable, and adequate. However, preliminary approval is not the final word. The next critical date is July 9, 2026, when the court will hold a final approval hearing. Between now and then, class members have the right to object to the settlement or opt out of the class entirely, though these deadlines will be established in official court notices.
After the final approval hearing, if the judge approves the settlement, there is typically a period for any appeals to be filed—usually 30 days or longer, depending on the judge’s order. Distributions will only begin after all appeals have been resolved and final approval is truly final. This means the earliest eligible victims could receive payment is likely late 2026 or potentially early 2027. The delay is frustrating for victims but is a standard feature of class action litigation, as companies and their insurers seek to minimize risk of reversal before paying out funds.
The Problem of Delayed Notification
One of the more troubling aspects of this case is that Fidelity delayed notifying customers for over seven weeks after detecting the breach. During those seven to eight weeks, the compromised personal and financial information remained in the hands of unauthorized parties with no notification to the victims whose data was at risk. For customers actively monitoring their accounts or credit reports, this delay reduced the window available to them to take preventative action. For example, a victim who learned of the breach immediately in August might have placed a fraud alert on their credit file or requested a credit freeze—actions that can prevent criminals from opening accounts in their name.
Those who were not notified until October had already lost two months of protection. The settlement addresses this problem by compensating victims for the extended exposure period. However, it is important to note that seven to eight weeks is not an unusual delay in breach notifications—many companies notify customers weeks or even months after discovering breaches. State laws and federal regulations generally allow companies some time to investigate and notify, rather than requiring immediate notification, so Fidelity’s timeline, while frustrating, may not have violated any legal requirement.
California Privacy Law Protections and the Additional $50 Payment
California residents in the class receive an additional $50 payment because California’s Consumer Privacy Act (CCPA) provides specific protections and rights that go beyond federal law. The CCPA gives California residents the right to know what personal information businesses collect, to delete personal information, and to opt out of the sale or sharing of personal information. It also allows consumers to sue companies directly for data breaches involving unencrypted personal information.
The additional $50 payment in this settlement reflects the value of those enhanced rights and remedies available only to California residents. If you live in California and are part of this class, ensure that Fidelity is on your list of companies from which you should request data deletion and obtain a copy of your personal information file. You can also request that Fidelity not sell or share your personal information going forward, which may reduce your risk of future breaches.
What This Settlement Means for Data Breach Accountability
The Fidelity settlement is one of thousands of data breach cases brought against major financial services companies over the past decade. At $2.5 million, this settlement is relatively modest compared to major data breach settlements—for context, Equifax paid $700 million in 2019, and other large settlements have exceeded $100 million.
However, the Fidelity case demonstrates that even smaller financial services firms are facing legal consequences for data breaches, and courts are willing to approve settlements that include credit monitoring, identity theft insurance, and direct cash compensation. Going forward, companies are likely to continue facing data breach litigation, particularly as state data privacy laws multiply and consumer awareness increases. The settlement also signals that delayed notification—a common industry practice—is increasingly viewed as a basis for class action liability.