Baltimore and New York archdiocese abuse survivors possibly exposed in cyber incident
The names and personal information of victims of sexual abuse by members of the Catholic archdioceses of Baltimore and New York may have been compromised by a cybersecurity breach in early March, according to court documents filed in U.S. Bankruptcy Court.
The breach affects at least ten bankruptcy proceedings involving dioceses and archdioceses nationwide, including Baltimore, Albany, Rochester, and Utica, New York, and several in California. The number of potential people exposed was unclear.
Berkeley Research Group (BRG), a financial advisory firm working on multiple church bankruptcy cases, notified federal trustees on April 28 about a data breach it discovered on March 2, according to a letter from the Department of Justice.
"Although such a large-scale data breach would be of concern to the United States Trustee in any bankruptcy case, that the breach occurred in archdiocesan and diocesan cases - where the claims information of sexual abuse survivors is the most sensitive and confidential of all information very concerning," Nan Roberts Eitel, Associate General Counsel for Chapter 11 Practice at the Justice Department wrote in the letter.
DOJ seeks more information on cyber incident
The DOJ asked BRG for more information about the breach and how it has been handled. They requested the case name, number, and district of each known person and any other suspected cases. They want to know if potential victims have been notified and why BRG waited nearly two months between discovering the breach on March 2 and notifying the U.S. Trustee Program on April 28.
Where does the Baltimore Archdiocese sex abuse case stand?
In 2023, the Maryland Attorney General found evidence that at least 165 priests, teachers, and employees under the church's supervision abused more than 600 children.
A lawsuit filed after the passage of the Child Victims Act, which removed the statute of limitations for child sexual abuse survivors, alleges that the church is responsible for more than 1000 claims of sexual assault - but is attempting to avoid compensating victims.
While the Child Victims Act allows survivors to receive a payout of $890,000 for each claim of abuse, the lawsuit claims the Archdiocese of Baltimore is using the doctrine of charitable immunity to prevent having to directly pay survivors.
Adding to the turbulence is a recent change to the Child Victims Act passed by the Maryland General Assembly in April, which limits the financial compensation to $400,000 for abuse claims involving public institutions and $700,000 for claims against private institutions. The compensation limits apply to any claims filed on or after June 1, 2025.
Victims of abuse by the Archdiocese of Baltimore who file claims after June 1 will only be able to receive up to $400,000, nearly half of the previous payout cap.
