Skip to main content
A hacker sits in front of multiple computer monitors

Cierant Corporation Data Breach Investigation

Written by Joseph Lyon on . Posted in Data Breach.

The data breach lawyers at The Lyon Firm are investigating a recent data breach reported by Cierant Corporation in which unauthorized individuals allegedly gained access to sensitive information. Contact our legal team to discuss your options moving forward and to begin to take the next steps in the legal process. We represent clients in all fifty states and offer free consultations and case reviews.

What Happened at Cierant Corporation?

Cierant Corporation, a company that provides marketing software and services, including handling sensitive patient data for clients like Blue Cross and Blue Shield of Massachusetts, discovered a cyberattack incident on December 10, 2024. It wasn’t until July 3, 2025, however, that affected individuals were notified. This delay has raised concerns about the timeliness of the company’s response.

The attack was an apparent ransomware attack perpetrated by the hacking group CL0P, which exploited a vulnerability in Cierant’s file transfer system, Cleo VLTrader. As a result, both personally identifiable information (PII) and protected health information (PHI) were compromised. This includes names, addresses, dates of birth, health plan beneficiary numbers, medical record numbers, and more. The breach affected over 232,000 individuals, making it a substantial incident in the industry.

For the victims, the impact can be severe, and victims should understand the risks moving forward. Exposed PII and PHI can be used for identity theft, financial fraud, or even medical fraud. To mitigate these risks, Cierant is offering 12 months of free credit monitoring services through Epiq. Victims are encouraged to enroll in this service and to vigilantly monitor their financial accounts for any suspicious activity.

Additionally, contacting a class action attorney may be a good idea. Data breach laws vary by state, but many jurisdictions allow victims to seek damages if a company is found to have been negligent in protecting their data. In this case, the delay in notification and the nature of the attack could be key factors in determining liability.