A newly filed class action lawsuit claims that digital insurance provider Lemonade exposed the personal information of up to 190,000 drivers, including their license numbers, to cybercriminals through its online auto insurance quote system.

Filed in federal court in Manhattan, the suit accuses Lemonade of failing to protect users’ private information and of violating the federal Driver’s Privacy Protection Act, New York’s consumer protection laws, and Federal Trade Commission (FTC) data security standards.

According to the complaint, Lemonade allegedly failed to discover a technical vulnerability for two years that led to the data breach. While the company has claimed it would address the issue promptly, the lawsuit argues that there’s no clear indication that meaningful steps have been taken. The plaintiffs are seeking financial compensation, reimbursement of expenses, and a court order mandating stronger data protection measures.

The legal action follows Lemonade’s April 9, 2025, disclosure to the Securities and Exchange Commission (SEC), in which it admitted that its digital auto insurance quote application may have unintentionally revealed the driver’s license numbers of nearly 190,000 individuals between April 2023 and September 2024.

The company stated that a technical problem led to some data being transmitted without the usual security protections. In its SEC filing, Lemonade said it identified the issue on March 14, 2025, took steps to patch the flaw, and planned to notify regulators and affected individuals. Lemonade characterized the issue as “not material.”

Lead Plaintiff’s Allegations

Leslie Rich, a resident of Arizona and the lead plaintiff in the case, claims Lemonade’s system leaked his driver’s license number and personal data. Rich says that as a result, he became a victim of identity theft and fraud in October and November 2024.

According to the lawsuit, criminals used Rich’s stolen data to apply for several auto loans and conduct unauthorized trades within his Fidelity retirement account. Rich also received written notice in April stating that Lemonade had disclosed his license number to unapproved parties.

The suit argues that Lemonade’s website effectively served as a tool for retrieving driver’s license information. It claims scammers were able to exploit the platform by entering a person’s name and address to access license numbers—without Lemonade verifying whether users were authorized to view the data.

Additionally, the lawsuit alleges that Lemonade failed to install adequate safeguards to detect whether a user was a human or an automated program, such as a bot.

The online quoting system reportedly uses a combination of the user’s name, birthdate, and address, along with supplementary data sourced from third-party brokers, to automatically populate license information during the quoting process.

The proposed class includes individuals who, like Rich, never interacted with Lemonade or applied for its services. The lawsuit claims that cybercriminals were able to harvest personal data on a mass scale due to how Lemonade’s quote tool was configured.

According to the complaint, Lemonade’s alleged negligence enabled “a broad, coordinated effort by fraudsters to utilize insurance quote tools to gather license numbers and commit widespread identity fraud.”

The company began mailing notifications to affected individuals on April 10, 2025. However, the suit emphasizes that the data exposure persisted for 17 months and that Lemonade failed to notify victims for two full years after the issue began.

Broader Industry Issues

This legal filing is part of a broader wave of litigation and regulatory actions against insurance companies accused of compromising drivers’ sensitive data through poorly secured online platforms.

New York Attorney General Letitia James recently imposed $975,000 in fines on auto insurer Root for a data breach that affected approximately 45,000 residents of the state. Although Root does not sell insurance in New York, bad actors allegedly accessed the license numbers and personal data of many New Yorkers.

Earlier settlements include $5.1 million from GEICO and Travelers and $500,000 from Noblr for failing to protect New Yorkers’ personal data from similar breaches.

In March 2025, Attorney General James also brought legal action against Allstate Insurance and its affiliate National General, alleging that their systems exposed the license data of over 165,000 people in the state.

Additionally, Lemonade previously settled a $5 million class action lawsuit in 2024 involving the alleged illegal sharing of life insurance applicants’ sensitive personal and health-related information with third-party platforms including TikTok, Facebook, and Snapchat. That suit claimed Lemonade violated state and federal privacy laws as well as consumer rights.