Lee Enterprises accused of digital privacy violations
of ConsumerAffairsJuly 18, 2025
- Lee agrees to pay $9.5 million in a privacy settlement with subscribers.
-
Now faces three class-action lawsuits from employees over a 2025 data breach.
-
Lawsuits allege negligence, breach of contract, and failure to disclose crucial details.
Lee Enterprises, the Iowa-based media company that owns hundreds of newspapers across 25 states, including flagship titles like the Quad-City Times and Omaha World-Herald, is at the center of a growing legal crisis. The company has agreed to a $9.5 million settlement with subscribers alleging digital privacy violations and is now facing three federal lawsuits brought by employees over a massive data breach earlier this year.
Lee reached the $9.5 million settlement Lee with nearly 1.53 million subscribers earlier this year. The lawsuit accused the company of embedding tracking technology in its websites that shared users video-viewing habits with Facebook without proper disclosure or consent.
The class-action case, which involved subscribers who accessed video content on Lee websites between December 2020 and March 2025, claimed that data could be cross-referenced with Facebook accounts to identify individual viewing habits.
After a daylong mediation session in November 2024, the parties accepted a proposal by Judge Wayne R. Andersen to resolve the case. The settlement, if approved at a scheduled August 7 hearing, would not only compensate affected users but also require Lee to revise its digital privacy practices.
New lawsuits allege systemic negligence
Three new class-action lawsuits filed in U.S. District Court for the Southern District of Iowa accuse Lee of failing to protect employee data during a February 2025 cyberattack. Plaintiffsclaim that sensitive personal information including Social Security numbers, financial records, and health data was accessed by cybercriminals due to Lees lax cybersecurity practices.
The suits allege negligence, unjust enrichment, breach of an implied contract, and invasion of privacy. The plaintiffs are seeking damages on behalf of thousands of current and former employees.
According to the filings, Lee began notifying affected individuals on June 3, 2025, but failed to offer meaningful detailsccomitting the nature of the breach, exploited vulnerabilities, and any protective actions taken afterward. One lawsuit calls the companys notice no real disclosure at all.
Plaintiffs further argue the breach could have been prevented through basic cybersecurity protocols, including encryption, staff training, and intrusion detection systems.
Fallout from February cyberattack
Lee Enterprises disclosed that it incurred $2 million in costs to restore data systems following the February 2025 breach. The attack disrupted operations, including billing and vendor payments. The ransomware group Qilin claimed responsibility, alleging it accessed 350 gigabytes of company data, including contracts and internal documents.
According to filings with the SEC and the Maine attorney general, data from 39,779 individuals was exposed. The compromised files reportedly included a mix of names, Social Security numbers, drivers licenses, medical information, and insurance details.
The employees are represented by law firms in West Des Moines and Cedar Rapids.
The latest incidents add to Lees troubled cybersecurity history. In 2020, Iranian hackers were accused of breaching Lees systems as part of an election-related disinformation campaign. Two Iranian nationals were charged in federal court, and that criminal case remains ongoing.
#Newspaper #publisher #pay #million #subscribers