ORLANDO, Fla. — Personal information about OneBlood donors, including identities and social security numbers, was accessed by attackers during a hack of the nonprofit over the summer, a lawsuit and accompanying documents claimed.
▶ WATCH CHANNEL 9 EYEWITNESS NEWS
According to the letter dated January 9 to a woman named Amy Thrash in Mobile, Alabama, OneBlood determined that between July 14, 2024, and July 29, 2024, attackers copied the information from the organization’s systems, with the nonprofit only becoming aware of the attack on July 28.
OneBlood alerted the public about the attack several days later, but since then has refused to provide any insight about what may have been compromised, including whether donor information was accessed. The letter said the review of what was accessed was completed in December.
READ: Cyber experts offer safety tips following OneBlood ‘ransomware attack’
It did not say how many of OneBlood’s millions of donors were affected by this attack but it did say the organization would provide 12 months of credit monitoring to the people impacted.
Thrash filed a class action lawsuit in federal court Wednesday. She accused the company of not doing enough to protect sensitive donor information. She also accused the company of a lack of transparency that included the time it took to alert the public to the hack and the delay in notifying donors their information was stolen.
READ: OneBlood returns to normal operations after crippling cyberattack
“Delayed notification causes more harm and increases the risk of identity theft,” the lawsuit said. “Here, OneBlood knew of the breach since December 29, 2023 [sic] and did not notify the victims until January 7, 2025. Yet OneBlood offered no explanation of purpose for the delay.”
Thrash said the number of spam calls and emails she’s received greatly increased after the attack, and she now spends an hour per week monitoring her financial accounts for signs of fraudulent activity.
READ: OneBlood reports cyberattack has ‘significantly’ impacted its operations
When reached for comment, OneBlood pushed back on the accusations contained in the lawsuit.
“OneBlood worked as quickly as possible to conduct the investigation and subsequently notify impacted individuals,” spokeswoman Susan Forbes said. “The cyber incident OneBlood experienced was contained and OneBlood provided notification to the affected individuals in accordance with relevant law. OneBlood is also offering affected individuals complimentary identity monitoring.”
In addition to asking for damages, Thrash’s lawsuit asks for 10 years of credit monitoring as compensation.
Click here to download our free news, weather and smart TV apps. And click here to stream Channel 9 Eyewitness News live.
©2025 Cox Media Group
