Seychelle Kessler v. Excel Fitness Consolidator, LLC d/b/a Excel Fitness Management, LLC

IN THE DISTRICT COURT OF OKLAHOMA COUNTY FOR THE STATE OF OKLAHOMA SEYCHELLE KESSLER and REGINALD LIPFORD, individually and on behalf of all others similarly situated, Plaintiff, v. EXCEL FITNESS CONSOLIDATOR, LLC d/b/a EXCEL FITNESS MANAGEMENT, LLC, Defendant. FILED DISTRICT COURT OKLAHOMA COUNTY, OKLAHOMA February 9, 2026 4:41 PM CASE NO. RICK WARREN, COURT CLERK Case Number CJ-2026-1077 JUDGE: ________________ JURY TRIAL DEMANDED CLASS ACTION PETITION Plaintiffs Seychelle Kessler and Reginald Lipford ("Plaintiffs"), individually and on behalf of all other similarly situated individuals (the "Class Members," as defined below), by and through their counsel, file this class action lawsuit against Excel Fitness Consolidator, LLC d/b/a Excel Fitness Management, LLC ("Excel Fitness" or "Defendant") and allege the following based on personal knowledge of facts pertaining to themselves, on information and belief, and based on the investigation of counsel as to all other matters. I. SUMMARY OF ACTION 1. Plaintiffs bring this class action lawsuit against Defendant for its failure to properly secure and safeguard the personally identifiable information ("PII" or "Private Information") of Plaintiffs and the Class resulting in a massive and preventable Data Breach.1 2. Excel Fitness is a Planet Fitness franchisee that operates over 160 gym locations in __________________________ 1 https://mm.nh.gov/files/uploads/doj/remote-docs/excel-fitness-consolidator-20250808.pdf. Texas, Oklahoma, Utah, Missouri, Arkansas, Tennessee, Georgia, North Carolina, and Virginia.2 Defendant conducts extensive business in Oklahoma City, OK. 3. The registered agent for Excel Fitness is Cogency Global Inc. and may be served at 15205 Traditions Lake Parkway Edmond, Oklahoma 73013. 4. Plaintiffs and the Class are current and/or former employees and customers of Defendant. 5. On or around January 17, 2025, Defendant’s systems were accessed by an unauthorized third-party and the PII of Plaintiffs and Class Members was compromised (the “Data Breach”).3 6. After an investigation, Defendant confirmed that between September 16, 2024, and January 18, 2025, certain employee email accounts were subject to unauthorized access for certain periods of time by an unauthorized party.4 7. Upon information and belief, the types of PII accessed and/or acquired in the Data Breach included at least the following: names, addresses, email addresses, phone numbers, dates of birth, financial account information, and/or Social Security numbers. 8. Upon information and belief, Plaintiffs’ and Class Members’ PII was compromised as a result of a targeted attack intended to obtain Plaintiffs’ and Class Members’ PII because that is the modus operandi of cybercriminals who perpetrate data breaches such as this. 9. Upon information and belief, Plaintiffs’ and Class Members’ PII—which they entrusted to Defendant based on the mutual understanding that Defendant would protect it against disclosure—was compromised due to the Data Breach. ______________________________ 2 See https://www.excelfitness.com/ 3 See https://mm.nh.gov/files/uploads/doj/remote-docs/excel-fitness-consolidator-20250808.pdf. 4 Id. 10. Upon information and belief, the PII compromised in the Data Breach was accessed and/or acquired by cybercriminals and remains in the hands of those cybercriminals who target PII for its value to identity thieves. 11. As a result of the Data Breach, Plaintiffs and Class Members, suffered concrete injuries in fact including, but not limited to: (i) invasion of privacy; (ii) lost or diminished value of PII; (iii) lost time and opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (iv) loss of benefit of the bargain; (v) lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (vi) statutory damages; (vii) nominal damages; (viii) the continued and certainly increased risk to their PII, which: (a) remains unencrypted and available for unauthorized third parties to access and abuse; and (b) remains backed up in Defendant’s possession and is subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect the PII. 12. The Data Breach was a direct result of Defendant’s failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect its customers’ and employees’ PII from a foreseeable and preventable cyberattack. 13. Defendant maintained, used, and shared the PII in a reckless manner. In particular, the PII was used and transmitted by Defendant in a condition vulnerable to cyberattacks. Upon information and belief, the mechanism of the cyberattack and potential for improper disclosure of Plaintiffs’ and Class Members’ PII was a known risk to Defendant, and thus, Defendant was on notice that failing to take steps necessary to secure the PII from those risks left that property in a dangerous condition. 14. Defendant disregarded the rights of Plaintiffs and Class Members by, inter alia, intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions; failing to take standard and reasonably available steps to prevent the Data Breach; and failing to provide Plaintiffs and Class Members prompt notice of the Data Breach. 15. Plaintiffs’ and Class Members’ identities are now at risk because of Defendant’s negligent conduct because the PII that Defendant collected and maintained is now in the hands of data thieves. 16. As a result of the Data Breach, Plaintiffs and Class Members have been exposed to a heightened and imminent risk of fraud and identity theft. Plaintiffs and Class Members must now and in the future closely monitor their financial accounts to guard against identity theft. 17. Plaintiffs and Class Members may also incur out of pocket costs, e.g., for purchasing credit monitoring services, credit freezes, credit reports, or other protective measures to deter and detect identity theft. 18. Plaintiffs bring this class action lawsuit on behalf of all those similarly situated to address Defendant’s inadequate safeguarding of Class Members’ PII that it collected and maintained, and for failing to provide timely and adequate notice to Plaintiffs and other Class Members that their information was compromised in the Data Breach. 19. Through this Complaint, Plaintiffs seek to remedy these harms on behalf of themselves and all similarly situated individuals whose PII was accessed and/or acquired during the Data Breach. 20. Plaintiffs and Class Members have a continuing interest in ensuring that their information is and remains safe, and they should be entitled to injunctive and other equitable relief. II. JURISDICTION AND VENUE 21. This Court has personal jurisdiction over Defendant pursuant to Okla. Stat. tit. 12 § 2004(f) because Defendant conducts extensive business in this State, has sufficient minimum contacts with this State, has a registered agent in this State, and has purposefully availed itself of the privilege of conducting activities within this State, thus invoking the benefits and protections of this State’s laws. 22. The Court has subject matter jurisdiction under Okla. Const. Art. VII § 7, which gives the Court unlimited original jurisdiction of all justiciable matters, including the matter alleged in this Petition. 23. Venue is proper in this Court under Okla. Stat. tit. 12 §§ 134, 137, and 139 because Defendant is situated in this county through its registered agent, Defendant may be found in this county, Defendant resided in this county at the time the claims arose, and numerous Class Members reside in this county. III. PARTIES 24. Plaintiff Reginald Lipford is a natural person and resident of Texas. Plaintiff Lipford was required to provide his PII to Defendant in the course of ordinary business. 25. Plaintiff Seychelle Kessler is a natural person and resident of Texas. Plaintiff Kessler was required to provide her PII to Defendant in the course of ordinary business. 26. Defendant Excel Fitness is a limited liability company formed under the laws of Texas but conducts substantial and extensive business in Oklahoma through its business locations and affiliates. Excel Fitness is registered in Oklahoma as Excel Fitness Management, LLC. The registered agent is Cogency Global Inc. and may be served in this county at 15205 Traditions Lake Parkway Edmond, Oklahoma 73013. IV. FACTUAL ALLEGATIONS Defendant’s Business 27. Defendant is a gym company operating over 160 Planet Fitness franchise locations across Texas, Oklahoma, Utah, Missouri, Arkansas, Tennessee, Georgia, North Carolina, and Virginia, and are continuing to build over 10 new locations each year.5 28. Defendant is registered in Oklahoma as Excel Fitness Management, LLC and its registered agent Cogency Global Inc. may be served in this county at 15205 Traditions Lake Parkway Edmond, Oklahoma 73013.6 29. Upon information and belief, Plaintiff and Class Members are current and former employees and/or customers of Defendant. 30. During the ordinary course of business, Plaintiffs and Class Members were required to provide their PII to Defendant, including but not limited to names, phone numbers, email addresses, addresses, dates of birth, financial account information, and Social Security numbers. 31. By obtaining, collecting, using, and deriving a benefit from Plaintiffs’ and Class Members’ PII, Defendant assumed legal and equitable duties and knew or should have known that it was responsible for protecting Plaintiffs’ and Class Members’ PII from unauthorized disclosure. 32. In providing their PII to Defendant, Plaintiffs and the Class Members reasonably expected this sophisticated business entity to keep their PII confidential and secured from unauthorized disclosures, to use this information for business purposes only, and to disclose it only as authorized. Defendant failed to do so, resulting in the unauthorized disclosure of Plaintiffs’ and Class Members’ PII in the Breach. ______________________________ 5 See https://www.excelfitness.com/locations (last visited Jan. 8, 2026). 6 See https://www.sos.ok.gov/corp/corpInformation.aspx?id=3713794245 (last visited Jan. 8, 2025). 33. Defendant failed to adequately protect Plaintiffs’ and Class Members' PII and failed to ensure that they would maintain adequate safeguards to protect their customer’s PII. 34. Upon information and belief, in the course of collecting PII from Plaintiffs and Class Members, Defendant promised to provide confidentiality and adequate security for customer and employee PII through its applicable privacy policy and through other disclosures in compliance with statutory privacy requirements. 35. Plaintiffs and the Class Members, as former and current customers and employees of Defendant, relied on these promises and on this sophisticated business entity to keep their sensitive PII confidential and securely maintained, to use this information for business purposes only, and to make only authorized disclosures of this information. 36. Plaintiffs and Class Members have incurred and will continue to incur damages in the form of, among other things, identity theft, attempted identity theft, lost time and expenses mitigating harms, increased risk of harm, damaged credit, diminution of the value of their PII, loss of privacy, and additional damages as described below. 37. Plaintiffs bring this action individually and on behalf of the Class, seeking compensatory damages, punitive damages, nominal damages, restitution, injunctive and declaratory relief, reasonable attorneys’ fees and costs and all other remedies this Court deems just and proper. The Data Breach 38. On or around August 8, 2025, Defendant began providing Class Members notice that, on January 17, 2025, an unauthorized third-party gained access to Defendant’s computer network and compromised the PII of Plaintiff and Class Members.7 7 Exhibit 1 (Notice Letter). 39. In the notice to affected individuals ("Notice Letter"), Excel Fitness stated the following in relevant part: What Happened? On or around January 17, 2025, we became aware of potential unauthorized access into an employee’s email account. Upon discovery, we took immediate action to address and investigate the event, which included engaging third-party specialists to assist with determining the nature and scope of the incident. The investigation confirmed that a limited number of employees email accounts were intermittently subject to unauthorized access for limited periods of time between September 16, 2024, and January 18, 2025. Therefore, we conducted a comprehensive review of the relevant information to determine the types of information present and to whom that information related. After a throughout investigation, the preliminary results of the review were received, and we then promptly began working to confirm necessary address information to provide relevant individuals with notification. On July 6, 2025, all necessary information was confirmed, and we then worked to notify relevant individuals as quickly as possible.8 40. Upon information and belief, Defendant waited nearly seven (7) months to notify Plaintiffs and Class Members and discovered the PII compromised in the Data Breach included Plaintiffs’ and Class Members’ names in combination with their Social Security numbers, which were compromised and stolen in the Data Breach.9 41. While the information impacted varies depending on the individual, upon information and belief, the type of information potentially exposed includes: names, dates of birth, Social Security numbers, addresses, and financial account numbers. 42. Defendant did not use reasonable security procedures and practices appropriate to the nature of the sensitive information they were maintaining for Plaintiffs and Class Members, causing the theft of PII, such as encrypting the information or deleting it when it is no longer needed. 43. Defendant also failed to timely notify Plaintiffs and Class Members about the ______________________________ 8 Id. 9 Id. Breach, causing delay in Plaintiffs’ and Class Members’ ability to protect themselves from misuse of their Private Information. 44. By collecting, storing, and maintaining the Private Information of Plaintiffs and Class Members, Defendant owed a duty to Plaintiffs and Class Members to protect and safeguard their Private Information from unauthorized disclosures. 45. Plaintiffs’ and Class Members’ Private Information was targeted, accessed, and stolen by cybercriminals in the Data Breach. Defendants’ deficient security for patient data caused and allowed criminals to target and take files containing Plaintiffs’ and Class Members’ inadequately protected, unencrypted Private Information from Defendant’s possession through the Data Breach. 46. Defendant had obligations created by the FTC Act, contract, common law, and industry standards to keep Plaintiffs’ and Class Members’ PII confidential and to protect it from unauthorized access and disclosure. 47. Because Defendant had a duty to protect Plaintiffs’ and Class members’ Private Information, Defendant should have known through readily available and accessible information about potential threats for the unauthorized exfiltration and misuse of such information. Thus, Defendant had a duty to ensure that Plaintiffs’ and Class members’ Private Information, stored with their networks and systems, was secured and protected from unauthorized disclosures to third parties. 48. Plaintiffs further believe that their Private Information and that of Class members, was subsequently sold on the dark web following the Breach, as that is the modus operandi of cybercriminals that commit cyberattacks of this type. 49. All in all, Defendant failed to take the necessary precautions required to safeguard and protect Plaintiffs’ and Class Members’ Private Information from unauthorized access and exploitation. 50. Defendant’s actions represent a flagrant disregard of the rights of Plaintiff and the Class, both as to privacy and property. 51. As such, Plaintiff and the Class have suffered harm and continue to be at an imminent and impending risk of identity theft and fraud. Defendant Failed to Comply with FTC Guidelines 52. Defendant could have prevented this Data Breach by, among other things, properly encrypting or otherwise protecting their equipment and computer files containing PII. 53. Defendant did not use reasonable security procedures and practices appropriate to the nature of the sensitive information they were maintaining for Plaintiffs and Class Members, causing the exposure of PII, such as encrypting the information or deleting it when it is no longer needed. 54. Data breaches are preventable.\footnote{Lucy L. Thomson, *Despite the Alarming Trends, Data Breaches Are Preventable*, DATA BREACH AND ENCRYPTION HANDBOOK (Lucy Thompson, ed., 2012), available at https://lawcat.berkeley.edu/record/394088.} “In almost all cases, the data breaches that occurred could have been prevented by proper planning and the correct design and implementation of appropriate security solutions.”\footnote{*Id.* at 17.} “Organizations that collect, use, store, and share sensitive personal data must accept responsibility for protecting the information and ensuring that it is not compromised[.]”\footnote{*Id.* at 28.} 55. Most reported data breaches “are a result of lax security and the failure to create or enforce appropriate security policies, rules, and procedures. . . . Appropriate information security controls, including encryption, must be implemented and enforced in a rigorous and disciplined manner so that a data breach never occurs.”13 56. Here, many failures laid the groundwork for the Data Breach. 57. The FTC has published guidelines that establish reasonable data security practices for businesses.14 58. The FTC guidelines establish that businesses should protect the confidential information that they keep; properly dispose of personal information that is no longer needed; encrypt information stored on computer networks; understand their network’s vulnerabilities; and implement policies for installing vendor-approved patches to correct security problems.15 59. The FTC guidelines also recommend that businesses utilize an intrusion detection system to expose a breach as soon as it occurs; monitor all incoming traffic for activity indicating hacking attempts; watch for large amounts of data being transmitted from the system; and have a response plan ready in the event of a breach.16 60. According to information and belief, Defendants failed to follow reasonable and necessary industry standards to prevent the Breach, including the FTC’s guidelines. 61. Upon information and belief, Defendants also failed to meet the minimum standards of any of the following frameworks: the NIST Cybersecurity Framework, NIST Special Publications 800-53, 53A, or 800-171; the Federal Risk and Authorization Management Program (FEDRAMP); or the Center for Internet Security’s Critical Security Controls (CIS CSC), which ______________________________ 13 Id. 14 Protecting Personal Information: A Guide for Business, FTC (Oct. 2016), available at https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-personal-information.pdf. 15 Id. 16 Id. are well respected authorities in cybersecurity readiness. 62. As explained by the Federal Bureau of Investigation, “[p]revention is the most effective defense against ransomware and it is critical to take precautions for protection.”17 63. To prevent and detect cyber-attacks and/or ransomware attacks Defendant could and should have implemented, as recommended by the United States Government, the following measures: • Implement an awareness and training program. Because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered. • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing. • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users. • Configure firewalls to block access to known malicious IP addresses. • Patch operating systems, software, and firmware on devices. Consider using a centralized patch management system. • Set anti-virus and anti-malware programs to conduct regular scans automatically. • Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary. • Configure access controls—including file, directory, and network share permissions—with least privilege in mind. If a user only needs to read specific files, the user should not have write access to those files, directories, or shares. • Disable macro scripts from office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full office suite applications. 17 How to Protect Your Networks from RANSOMWARE, at 3, available at: https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view • Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs, including the AppData/LocalAppData folder. • Consider disabling Remote Desktop protocol (RDP) if it is not being used. • Use application whitelisting, which only allows systems to execute programs known and permitted by security policy. • Execute operating system environments or specific programs in a virtualized environment. • Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units.18 64. To prevent and detect cyberattacks or ransomware attacks Defendant could and should have implemented, as recommended by the Microsoft Threat Protection Intelligence Team, the following measures: Secure internet-facing assets - Apply latest security updates - Use threat and vulnerability management - Perform regular audit; remove privileged credentials; Thoroughly investigate and remediate alerts - Prioritize and treat commodity malware infections as potential full compromise; Include IT Pros in security discussions - Ensure collaboration among [security operations], [security admins], and [information technology] admins to configure servers and other endpoints securely; Build credential hygiene - Use [multifactor authentication] or [network level authentication] and use strong, randomized, just-in-time local admin passwords; Apply principle of least-privilege - Monitor for adversarial activities - Hunt for brute force attempts 18 Id. at 3-4. - Monitor for cleanup of Event Logs - Analyze logon events; Harden infrastructure - Use Windows Defender Firewall - Enable tamper protection - Enable cloud-delivered protection - Turn on attack surface reduction rules and [Antimalware Scan Interface] for Office [Visual Basic for Applications].19 65. Given that Defendant was storing the PII of what is estimated to be thousands of individuals, it could and should have implemented all of the above measures to prevent and detect cyberattacks. 66. Moreover, it is well-established industry standard practice for a business to dispose of confidential Private Information once it is no longer needed.20 67. The FTC has repeatedly emphasized the importance of disposing of unnecessary Private Information: “Keep sensitive data in your system only as long as you have a business reason to have it. Once that business need is over, properly dispose of it. If it’s not on your system, it can’t be stolen by hackers.”21 Rather than following this basic standard of care, Defendants kept thousands of patients’ unencrypted Private Information on their inadequately secured systems indefinitely. 68. The occurrence of the Data Breach indicates that Defendant failed to adequately implement one or more of the above measures to prevent cyberattacks, resulting in the Data Breach 19 See Human-operated ransomware attacks: A preventable disaster (Mar 5, 2020), available at: https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/ 20 See Protecting Personal Information: A Guide for Business, FEDERAL TRADE COMMISSION (Oct. 2016), https://www.ftc.gov/business-guidance/resources/protecting-personal-information-guide-business. 21 Id. at 6. and, upon information and belief, the publication of the PII of thousands of individuals, including that of Plaintiffs and Class Members. 69. In sum, the Data Breach could have been easily prevented through standard practices like the use of industry standard network segmentation and encryption of all Private Information—which Defendant negligently failed to do. 70. Further, the scope of the Data Breach could have been dramatically reduced had Defendants utilized proper record retention and destruction practices—but Defendants negligently did no such thing. Defendant Acquires, Collects, and Stores Plaintiff’s and Class Members’ PII 71. Defendant acquires, collects, and stores a massive amount of PII through its provision of employment or gym services. 72. By obtaining, collecting, and using Plaintiffs’ and Class Members’ PII, Defendant assumed legal and equitable duties and knew or should have known that it was responsible for protecting Plaintiffs’ and Class Members’ PII from disclosure. 73. Plaintiffs and the Class Members have taken reasonable steps to maintain the confidentiality of their PII and would not have entrusted it to Defendant absent a promise to safeguard that information. 74. Upon information and belief, in the course of collecting PII from Plaintiffs and Class Members, Defendant promised to provide confidentiality and adequate security for consumer data through its applicable privacy policy and through other disclosures in compliance with statutory privacy requirements. 75. Plaintiffs and the Class Members relied on Defendant to keep their PII confidential and securely maintained, to use this information for business purposes only, and to make only authorized disclosures of this information. Defendant Knew, Or Should Have Known of the Risks Because Companies In Possession of PII Are Particularly Susceptible to Cyber Attacks 76. In light of recent high profile data breaches at other industry leading companies, including, Microsoft (250 million records, December 2019), Wattpad (268 million records, June 2020), Facebook (267 million users, April 2020), Estee Lauder (440 million records, January 2020), Whisper (900 million records, March 2020), and Advanced Info Service (8.3 billion records, May 2020), Defendant knew or should have known that the PII that they collected and maintained would be targeted by cybercriminals. 77. Indeed, cyber-attacks, such as the one experienced by Defendant, have become so notorious that the Federal Bureau of Investigation (“FBI”) and U.S. Secret Service have issued a warning to potential targets, so they are aware of, and prepared for, a potential attack. 78. Additionally, as companies became more dependent on computer systems to run their business,22 e.g., working remotely as a result of the Covid-19 pandemic, and the Internet of Things (“IoT”), the danger posed by cybercriminals is magnified, thereby highlighting the need for adequate administrative, physical, and technical safeguards.23 79. Defendant knew and understood unprotected or exposed PII in the custody of institutions, like Defendant, is valuable and highly sought after by nefarious third parties seeking to illegally monetize that PII through unauthorized access. 80. At all relevant times, Defendant knew, or reasonably should have known, of the 22 See Danny Brando, Implications of Cyber Risk for Financial Stability (May 12, 2022), available at: https://www.federalreserve.gov/econres/notes/feds-notes/implications-of-cyber-risk-for-financial-stability-20220512.html 23 See Dr. Suleyman Ozarslan, Key Threats and Cyber Risks Facing Financial Services and Banking Firms in 2022 (March 24, 2022), available at: https://www.picussecurity.com/key-threats-and-cyber-risks-facing-financial-services-and-banking-firms-in-2022 importance of safeguarding the PII of Plaintiffs and Class Members and of the foreseeable consequences that would occur if Defendant’s data security system was breached, including, specifically, the significant costs that would be imposed on Plaintiff and Class Members as a result of a breach. 81. Plaintiffs and Class Members now face years of constant surveillance of their financial and personal records, monitoring, and loss of rights. The Class is incurring and will continue to incur such damages in addition to any fraudulent use of their PII. 82. The injuries to Plaintiffs and Class Members were directly and proximately caused by Defendant’s failure to implement or maintain adequate data security measures for the PII of Plaintiffs and Class Members. 83. The ramifications of Defendant’s failure to keep secure the PII of Plaintiffs and Class Members are long lasting and severe. Once PII is stolen—particularly Social Security numbers—fraudulent use of that information and damage to victims may continue for years. 84. Defendant knew, or should have known, the importance of safeguarding PII entrusted to it by Plaintiffs and Class Members, and of the foreseeable consequences if its data security systems were breached. This includes the significant costs imposed on Plaintiffs and Class Members as a result of a breach. Defendant failed, however, to take adequate cybersecurity measures to prevent the Data Breach. Value of Personally Identifiable Information 85. The Federal Trade Commission ("FTC") defines identity theft as "a fraud committed or attempted using the identifying information of another person without authority."24 The FTC describes “identifying information” as “any name or number that may be used, alone or 24 17 C.F.R. § 248.201 (2013). in conjunction with any other information, to identify a specific person,” including, among other things, “[n]ame, Social Security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number.”25 86. The PII of individuals remains of high value to criminals, as evidenced by the prices they will pay through the dark web. Numerous sources cite dark web pricing for stolen identity credentials.26 For example, Personal Information can be sold at a price ranging from $40 to $200.27 Criminals can also purchase access to entire company data breaches from $900 to $4,500.28 87. For example, Social Security numbers are among the worst kind of PII to have stolen because they may be put to a variety of fraudulent uses and are difficult for an individual to change. The Social Security Administration stresses that the loss of an individual’s Social Security number, as experienced by Plaintiffs and Class Members, can lead to identity theft and extensive financial fraud: A dishonest person who has your Social Security number can use it to get other personal information about you. Identity thieves can use your number and your good credit to apply for more credit in your name. Then, they use the credit cards and don’t pay the bills, it damages your credit. You may not find out that someone is using your number until you’re turned down for credit, or you begin to get calls from unknown creditors demanding payment for items you never bought. Someone illegally using your Social Security number and assuming your identity can cause a lot of problems.29 __________________________ 25 Id. 26 Your personal data is for sale on the dark web. Here’s how much it costs, Digital Trends, Oct. 16, 2019, available at: https://www.digitaltrends.com/computing/personal-data-sold-on-the-dark-web-how-much-it-costs/ 27 Here’s How Much Your Personal Information Is Selling for on the Dark Web, Experian, Dec. 6, 2017, available at: https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-information-is-selling-for-on-the-dark-web/ 28 https://vpnoverview.com/privacy/anonymous-browsing/in-the-dark/ 29 Social Security Administration, Identity Theft and Your Social Security Number, available at: https://www.ssa.gov/pubs/EN-05-10064.pdf 88. What’s more, it is no easy task to change or cancel a stolen Social Security number. An individual cannot obtain a new Social Security number without significant paperwork and evidence of actual misuse. In other words, preventive action to defend against the possibility of misuse of a Social Security number is not permitted; an individual must show evidence of actual, ongoing fraud activity to obtain a new number. 89. Even then, a new Social Security number may not be effective. According to Julie Ferguson of the Identity Theft Resource Center, “[t]he credit bureaus and banks are able to link the new number very quickly to the old number, so all of that old bad information is quickly inherited into the new Social Security number.”30 90. Based on the foregoing, the information stolen in the Data Breach is significantly more valuable than the loss of, for example, credit card information in a retailer data breach because, there, victims can cancel or close credit and debit card accounts. The information compromised in this Data Breach is impossible to “close” and difficult, if not impossible, to change—Social Security numbers and names. 91. This data demands a much higher price on the black market. Martin Walter, senior director at cybersecurity firm RedSeal, explained, “Compared to credit card information, personally identifiable information and Social Security numbers are worth more than 10x on the black market.”31 92. Among other forms of fraud, identity thieves may obtain driver’s licenses, ______________________________ 30 Bryan Naylor, Victims of Social Security Number Theft Find It’s Hard to Bounce Back, NPR (Feb. 9, 2015), available at: http://www.npr.org/2015/02/09/384875839/data-stolen-by-anthem-s-hackers-has-millionsworrying-about-identity-theft 31 Tim Greene, Anthem Hack: Personal Data Stolen Sells for 10x Price of Stolen Credit Card Numbers, IT World, (Feb. 6, 2015), available at: https://www.networkworld.com/article/2880366/anthem-hack-personal-data-stolen-sells-for-10x-price-of-stolen-credit-card-numbers.html government benefits, medical services, and housing or even give false information to police. 93. The fraudulent activity resulting from the Data Breach may not come to light for years. There may be a time lag between when harm occurs versus when it is discovered, and also between when PII is stolen and when it is used. According to the U.S. Government Accountability Office ("GAO"), which conducted a study regarding data breaches: [L]aw enforcement officials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years. As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm.32 94. Plaintiffs and Class Members now face years of constant surveillance of their financial and personal records, monitoring, and loss of rights. The Class is incurring and will continue to incur such damages in addition to any fraudulent use of their PII. Defendant Failed to Comply with Industry Standards 95. As noted above, experts studying cybersecurity routinely identify entities in possession of Private Information as being particularly vulnerable to cyberattacks because of the value of the Private Information which they collect and maintain. 96. Several best practices have been identified that, at a minimum, should be implemented by software institutions in possession of Private Information, like Defendant, including but not limited to: educating all employees; strong passwords; multi-layer security, including firewalls, anti-virus, and anti-malware software; encryption, making data unreadable without a key; multi-factor authentication; backup data and limiting which employees can access sensitive data. Defendant failed to follow these industry best practices, including a failure to 32 Report to Congressional Requesters, GAO, at 29 (June 2007), available at: https://www.gao.gov/assets/gao-07-737.pdf implement multi-factor authentication. 97. Other best cybersecurity practices that are standard for software institutions include installing appropriate malware detection software; monitoring and limiting the network ports; protecting web browsers and email management systems; setting up network systems such as firewalls, switches and routers; monitoring and protection of physical security systems; protection against any possible communication system; training staff regarding critical points. Defendant failed to follow these cybersecurity best practices, including failure to train staff. 98. Defendant failed to meet the minimum standards of any of the following frameworks: the NIST Cybersecurity Framework Version 1.1 (including without limitation PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.AT-1, PR.DS-1, PR.DS-5, PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and RS.CO-2), and the Center for Internet Security’s Critical Security Controls (CIS CSC), which are all established standards in reasonable cybersecurity readiness. 99. These foregoing frameworks are existing and applicable industry standards for software institutions, and upon information and belief, Defendant failed to comply with at least one—or all—of these accepted standards, thereby opening the door to the threat actor and causing the Data Breach. Common Injuries and Damages 100. As a result of Defendant's ineffective and inadequate data security practices, the Data Breach, and the foreseeable consequences of PII ending up in the possession of criminals, the risk of identity theft to the Plaintiffs and Class Members has materialized and is imminent, and Plaintiffs and Class Members have all sustained actual injuries and damages, including: (i) invasion of privacy; (ii) theft and publication of their PII to the dark web; (iii) lost or diminished value of PII; (iv) lost time and opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (v) loss of benefit of the bargain; (vi) lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (vii) statutory damages; (viii) nominal damages; and (ix) the continued and certainly increased risk to their PII, which: (a) remains unencrypted and available for unauthorized third parties to access and abuse; and (b) remains backed up in Defendant’s possession and is subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect the PII. Data Breaches Increase Victims’ Risk of Identity Theft 101. The unencrypted PII of Class Members will end up for sale on the dark web as that is the modus operandi of hackers. 102. Unencrypted PII may also fall into the hands of companies that will use the detailed PII for targeted marketing without the approval of Plaintiffs and Class Members. Simply put, unauthorized individuals can easily access the PII of Plaintiffs and Class Members. 103. The link between a data breach and the risk of identity theft is simple and well established. Criminals acquire and steal Private Information to monetize the information. Criminals monetize the data by selling the stolen information on the black market to other criminals who then utilize the information to commit a variety of identity theft related crimes discussed below. 104. Plaintiffs’ and Class Members’ PII is of great value to hackers and cyber criminals, and the data stolen in the Data Breach has been used and will continue to be used in a variety of sordid ways for criminals to exploit Plaintiffs and Class Members and to profit off their misfortune. 105. One such example of criminals piecing together bits and pieces of compromised Private Information for profit is the development of “Fullz” packages.33 106. With “Fullz” packages, cybercriminals can cross-reference two sources of Private Information to marry unregulated data available elsewhere to criminally stolen data with an astonishingly complete scope and degree of accuracy in order to assemble complete dossiers on individuals. 107. The development of “Fullz” packages means here that the stolen Private Information from the Data Breach can easily be used to link and identify it to Plaintiffs’ and Class Members’ phone numbers, email addresses, and other unregulated sources and identifiers. In other words, even if certain information such as emails, phone numbers, or credit card numbers may not be included in the Private Information that was exfiltrated in the Data Breach, criminals may still easily create a Fullz package and sell it at a higher price to unscrupulous operators and criminals (such as illegal and scam telemarketers) over and over. 108. The existence and prevalence of “Fullz” packages means that the Private Information stolen from the data breach can easily be linked to the unregulated data (like insurance information) of Plaintiff and the other Class Members. ______________________________ 33 “Fullz” is fraudster speak for data that includes the information of the victim, including, but not limited to, the name, address, credit card information, social security number, date of birth, and more. As a rule of thumb, the more information you have on a victim, the more money that can be made off of those credentials. Fullz are usually pricier than standard credit card credentials, commanding up to $100 per record (or more) on the dark web. Fullz can be cashed out (turning credentials into money) in various ways, including performing bank transactions over the phone with the required authentication details in-hand. Even “dead Fullz,” which are Fullz credentials associated with credit cards that are no longer valid, can still be used for numerous purposes, including tax refund scams, ordering credit cards on behalf of the victim, or opening a “mule account” (an account that will accept a fraudulent money transfer from a compromised account) without the victim’s knowledge. See, e.g., Brian Krebs, Medical Records for Sale in Underground Stolen From Texas Life Insurance Firm, Krebs on Security (Sep. 18, 2014), https://krebsonsecurity.com/2014/09/medical-records-for-sale-in-underground-stolen-from-texas-life-insurance-firm/ 109. Thus, even if certain information (such as insurance information) was not stolen in the data breach, criminals can still easily create a comprehensive “Fullz” package. 110. Then, this comprehensive dossier can be sold—and then resold in perpetuity—to crooked operators and other criminals (like illegal and scam telemarketers). Loss of Time to Mitigate Risk of Identity Theft & Fraud 111. As a result of the recognized risk of identity theft, when a Data Breach occurs, the reasonable person is expected to take steps and spend time to address the dangerous situation, learn about the breach, and otherwise mitigate the risk of becoming a victim of identity theft or fraud. Failure to spend time taking steps to review accounts or credit reports could expose the individual to greater financial harm – yet, the resource and asset of time has been lost. 112. Thus, due to the actual and imminent risk of identity theft, Plaintiffs and Class Members must remain vigilant for fraud and identity theft by reviewing account statements and credit reports, place a fraud alert or security freeze on credit files, report suspicious activity, and contact authorities. 113. Plaintiffs and Class Members have spent, and will spend additional time in the future, on a variety of prudent actions, such as researching and verifying the legitimacy of the Data Breach, contacting credit bureaus to place freezes on their accounts, and signing up for the credit monitoring and identity theft protection services offered by Defendant. 114. Plaintiffs’ mitigation efforts are consistent with the U.S. Government Accountability Office that released a report in 2007 regarding data breaches (“GAO Report”) in which it noted that victims of identity theft will face “substantial costs and time to repair the damage to their good name and credit record.”34 115. Plaintiffs’ mitigation efforts are also consistent with the steps that FTC recommends that data breach victims take several steps to protect their personal and financial information after a data breach, including: contacting one of the credit bureaus to place a fraud alert (consider an extended fraud alert that lasts for seven years if someone steals their identity), reviewing their credit reports, contacting companies to remove fraudulent charges from their accounts, placing a credit freeze on their credit, and correcting their credit reports.35 116. And for those Class Members who experience actual identity theft and fraud, the United States Government Accountability Office released a report in 2007 regarding data breaches (“GAO Report”) in which it noted that victims of identity theft will face “substantial costs and time to repair the damage to their good name and credit record.” Diminution of Value of Private Information 117. Private Information is a valuable property right.36 Its value is axiomatic, considering the value of Big Data in corporate America and the consequences of cyber thefts include heavy prison sentences. Even this obvious risk to reward analysis illustrates beyond doubt that Private Information has considerable market value. 118. Sensitive Private Information can sell for as much as $363 per record according to the Infosec Institute.37 ________________________ 34 United States Government Accountability Office, GAO-07-737, Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown (June 2007), https://www.gao.gov/products/gao-07-737 35 See Federal Trade Commission, Identity Theft.gov, https://www.identitytheft.gov/Steps 36 See “Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown,” p. 2, U.S. Government Accountability Office, June 2007, https://www.gao.gov/new.items/d07737.pdf (“GAO Report”). 37 See, e.g., John T. Soma, et al, Corporate Privacy Trend: The “Value” of Personally Identifiable Information (“PII”) Equals the “Value" of Financial Assets, 15 Rich. J.L. & Tech. 11, at *3-4 119. An active and robust legitimate marketplace for Private Information also exists. In 2019, the data brokering industry was worth roughly $200 billion.38 120. In fact, the data marketplace is so sophisticated that consumers can actually sell their non-public information directly to a data broker who in turn aggregates the information and provides it to marketers or app developers.39 121. As a result of the Data Breach, Plaintiffs’ and Class Members’ PII, which has an inherent market value in both legitimate and dark markets, has been damaged and diminished by its compromise and unauthorized theft. However, this transfer of value occurred without any consideration paid to Plaintiffs or Class Members for their property, resulting in an economic loss. Moreover, the Private Information is now readily available, and the rarity of the data has been lost, thereby causing additional loss of value. 122. At all relevant times, Defendant knew, or reasonably should have known, of the importance of safeguarding the PII of Plaintiffs and Class Members, and of the foreseeable consequences that would occur if Defendant's data security system was breached, including, specifically, the significant costs that would be imposed on Plaintiffs and Class Members as a result of a breach. 123. The fraudulent activity resulting from the Data Breach may not come to light for years. 124. Plaintiffs and Class Members now face years of constant surveillance of their ______________________________ (2009) ("PII, which companies obtain at little cost, has quantifiable value that is rapidly reaching a level comparable to the value of traditional financial assets.") (citations omitted). 38 See Ashiq Ja, Hackers Selling Healthcare Data in the Black Market, InfoSec (July 27, 2015), https://resources.infosecinstitute.com/topic/hackers-selling-healthcare-data-in-the-black-market/ 39 See David Lazarus, Column: Shadowy data brokers make the most of their invisibility cloak, Los Angeles Times (Nov. 5, 2019), available at: https://www.latimes.com/business/story/2019-11-05/column-data-brokers financial and personal records, monitoring, and loss of rights. The Class is incurring and will continue to incur such damages in addition to any fraudulent use of their PII. 125. Defendant was, or should have been, fully aware of the unique type and the significant volume of data on Defendant's network, amounting to hundreds of thousands individuals’ detailed personal information and, thus, the significant number of individuals who would be harmed by the exposure of the unencrypted data. 126. The injuries to Plaintiffs and Class Members were directly and proximately caused by Defendant's failure to implement or maintain adequate data security measures for the PII of Plaintiff and Class Members. Future Cost of Credit and Identity Theft Monitoring is Reasonable and Necessary 127. Given the type of targeted attack in this case, sophisticated criminal activity, the type of Private Information involved, entire batches of stolen information have been placed, or will be placed, on the black market/dark web for sale and purchase by criminals intending to utilize the Private Information for identity theft crimes –e.g., opening bank accounts in the victims’ names to make purchases or to launder money; file false tax returns; take out loans or lines of credit; or file false unemployment claims. 128. Such fraud may go undetected until debt collection calls commence months, or even years, later. An individual may not know that his or her Private Information was used to file unemployment benefits until law enforcement notifies the individual’s employer of the suspected fraud. Fraudulent tax returns are typically discovered only when an individual’s authentic tax return is rejected. 129. Consequently, Plaintiffs and Class Members are at an increased risk of fraud and identity theft for many years into the future. 130. The retail cost of credit monitoring and identity theft monitoring can cost around $200 a year per Class Member. This is a reasonable and necessary cost to monitor to protect Class Members from the risk of identity theft that arose from Defendant’s Data Breach. Plaintiff Seychelle Kessler’s Experience 131. Plaintiff Seychelle Kessler applied for a job with Defendant in 2024, and received an offer letter, but did not accept the job offer. In applying for a job, Plaintiff provided her PII to Defendant in the course of ordinary business. 132. Plaintiff Kessler’s PII, including but not limited to, her name and Social Security number, was in the possession, custody and/or control of Defendant at the time of the Data Breach. 133. At the time of the Data Breach, Defendant retained Plaintiff’s PII in its system. 134. Upon information and belief, Plaintiff is a victim of the Data Breach. Plaintiff Kessler received a Notice Letter from Defendant dated August 8, 2025.40 135. Plaintiff believed that Defendant would take, at a minimum, industry standard precautions to protect, maintain, and safeguard that information from unauthorized use or disclosure, and would timely notify her of any data security incidents related to her. Plaintiff would not have given her PII to Defendant had she known it would not take reasonable steps to safeguard 136. Plaintiff Kessler is very careful about sharing her sensitive PII. Plaintiff stores any documents containing her PII in a safe and secure location. She has never knowingly transmitted unencrypted sensitive PII over the internet or any other unsecured source. Plaintiff would not have entrusted her PII to Defendant had she known of Defendant’s lax data security policies. 137. As a result of the Data Breach, Plaintiff made reasonable efforts to mitigate the impact of the Data Breach, including researching and verifying the legitimacy of the Data Breach. ______________________________ 40 Exhibit 1. Plaintiff has spent hours dealing with the Data Breach—valuable time Plaintiff otherwise would have spent on other activities, including but not limited to work and/or recreation. This time has been lost forever and cannot be recaptured. 138. Because of the Data Breach, there is no doubt Plaintiff Kessler’s highly confidential Private Information is in the hands of cybercriminals. Reason being, the modus operandi of cybercriminals is to steal data they can exploit by selling on the dark web. As such, Plaintiff Kessler’s and the Class are at an imminent risk of identity theft and fraud. 139. Plaintiff suffered actual injury from having her PII stolen as a result of the Data Breach including, but not limited to: (i) invasion of privacy; (ii) lost or diminished value of PII; (iii) lost time and opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (iv) loss of benefit of the bargain; (v) lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (vi) statutory damages; (vii) nominal damages; and (viii) the continued and certainly increased risk to her PII, which: (a) remains unencrypted and available for unauthorized third parties to access and abuse; and (b) remains backed up in Defendant’s possession and is subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect the PII. 140. Upon information and belief, Plaintiff Kessler has noticed an uptick in spam emails, calls, and text messages which she did not receive prior to the Breach. 141. The Data Breach has caused Plaintiff to suffer fear, anxiety, and stress, which has been compounded by the fact that Defendant has still not fully informed her of key details about the Data Breach’s occurrence. 142. As a result of the Data Breach, Plaintiff anticipates spending considerable time and money on an ongoing basis to try to mitigate and address harms caused by the Data Breach. 143. As a result of the Data Breach, Plaintiff has been and will continue to be at a heightened and substantial risk of future identity theft and its attendant damages for years to come. This risk is certainly real and impending, and is not speculative, given the highly sensitive nature of the Private Information stolen in the Data Breach. 144. Plaintiff has a continuing interest in ensuring that her PII, which, upon information and belief, remains backed up in Defendant’s possession, is protected and safeguarded from future breaches. Plaintiff Reginald Lipford’s Experience 145. In its regular course of business, Defendant collected Plaintiff Lipford’s PII and stored it in its systems and network. 146. Plaintiff Lipford’s PII, including but not limited to, his Social Security number, was in the possession, custody and/or control of Defendant at the time of the Data Breach. 147. On August 8, 2025, Defendant sent Plaintiff Lipford a Notice Letter informing him that his PII was compromised as a result of the Data Breach. 148. Plaintiff believed that Defendant would take, at a minimum, industry standard precautions to protect, maintain, and safeguard that information from unauthorized use or disclosure, and would timely notify him of any data security incidents related to him. Plaintiff would not have given his PII to Defendant had he known it would not take reasonable steps to safeguard his PII. 149. As a result of the Data Breach, Plaintiff has or will make reasonable efforts to mitigate the impact of the Data Breach, including but not limited to researching the Data Breach, reviewing credit reports, financial account statements, and/or personal records for any indications, of actual or attempted identity theft or fraud. 150. Upon information and belief, Plaintiff Lipford has noticed an uptick in spam emails, calls, and text messages which he did not receive prior to the Breach. 151. Because of the Data Breach, there is no doubt Plaintiff Lipford’s highly confidential Private Information is in the hands of cybercriminals. Reason being, the modus operandi of cybercriminals is to steal data they can exploit by selling on the dark web. As such, Plaintiff Lipford and the Class are at an imminent risk of identity theft and fraud. 152. Plaintiff Lipford suffered actual injury from having his PII compromised as a result of the Data Breach including, but not limited to (a) damage to and diminution in the value of his PII, a form of property that Defendant obtained from Plaintiff; (b) violation of his privacy rights; (c) the theft of his PII; and (d) imminent and impending injury arising from the increased risk of identity theft and fraud. 153. As a result of the Data Breach, Plaintiff is very concerned about identity theft and fraud, as well as the consequences of such identity theft and fraud resulting from the Data Breach. 154. The Data Breach has caused Plaintiff to suffer significant anxiety and stress, which has been compounded by the fact that his Social Security number and other intimate details are in the hands of criminals and being sold on the dark web. 155. As result of the Data Breach, Plaintiff anticipates spending considerable time and/or money on an ongoing basis to try to mitigate and address harms caused by the Data Breach. In addition, Plaintiff will continue to be at present, imminent, and continued increased risk of identity theft and fraud for his lifetime. 156. As a result of the Data Breach, Plaintiff has been and will continue to be at a heightened and substantial risk of future identity theft and its attendant damages for years to come. This risk is certainly real and impending, and is not speculative, given the highly sensitive nature of the Private Information stolen in the Data Breach. 157. Plaintiff Lipford has a continuing interest in ensuring that his PII, which, upon information and belief, remains in Defendant’s possession, is protected and safeguarded from future breaches. **CLASS ALLEGATIONS** 158. Plaintiffs incorporate by reference all allegations of the preceding paragraphs as though fully set forth herein. 159. Plaintiffs bring this class action on behalf of themselves and on behalf of all others similarly situated under Okla. Stat. tit. 12 § 2023. Plaintiffs assert all claims on behalf of a class (the “Class”) defined as follows: All persons whose PII was accessed and/or acquired in Defendants’ Data Breach, including all individuals who received a Notice Letter. 160. Excluded from the Class are the following individuals and/or entities: Defendant and Defendant's parents, subsidiaries, affiliates, officers and directors, and any entity in which Defendant has a controlling interest; all individuals who make a timely election to be excluded from this proceeding using the correct protocol for opting out; and all judges assigned to hear any aspect of this litigation, as well as their immediate family members. 161. Plaintiffs reserve the right to amend the definitions of the Class or add a Class or Subclass if further information and discovery indicate that the definitions of the Class should be narrowed, expanded, or otherwise modified. 162. The proposed Class meets the requirements of Okla. Stat. tit. 12 § 2023. 163. **Numerosity**: The members of the Class are so numerous that joinder of all members is impracticable, if not completely impossible. The Class is apparently identifiable within Defendant's records, and Defendant has already identified these individuals (as evidenced by sending them breach notification letters). Upon information and belief, the Class includes thousands of individuals. 164. Common questions of law and fact exist as to all members of the Class and predominate over any questions affecting solely individual members of the Class. Among the questions of law and fact common to the Class that predominate over questions which may affect individual Class members, including the following: i. Whether and to what extent Defendant had a duty to protect the Private Information of Plaintiffs and Class Members; ii. Whether Defendant had respective duties not to disclose the Private Information of Plaintiffs and Class Members to unauthorized third parties; iii. Whether Defendant had respective duties not to use the Private Information of Plaintiffs and Class Members for non-business purposes; iv. Whether Defendant failed to adequately safeguard the Private Information of Plaintiffs and Class Members; v. Whether and when Defendant actually learned of the Data Breach; vi. Whether Defendant was negligent in failing to notify Plaintiffs and Class Members that their Private Information had been compromised; vii. Whether Plaintiffs’ Private Information is for sale on the dark web; viii. Whether Defendant violated the law by failing to promptly notify Plaintiffs and Class Members that their Private Information had been compromised; ix. Whether Defendant failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the Data Breach; x. Whether Defendant adequately addressed and fixed the vulnerabilities which permitted the Data Breach to occur; xi. Whether Plaintiffs and Class Members are entitled to actual damages, statutory damages, and/or nominal damages as a result of Defendant's wrongful conduct; and xii. Whether Plaintiffs and Class Members are entitled to injunctive relief to redress the imminent and currently ongoing harm faced as a result of the Data Breach. 165. Typicality: Plaintiffs’ claims are typical of those of the other members of the Class because Plaintiffs, like every other Class Member, was exposed to virtually identical conduct and now suffers from the same violations of the law as each other member of the Class. 166. Policies Generally Applicable to the Class: This class action is also appropriate for certification because Defendant acted or refused to act on grounds generally applicable to the Class, thereby requiring the Court’s imposition of uniform relief to ensure compatible standards of conduct toward the Class Members and making final injunctive relief appropriate with respect to the Class as a whole. Defendant's policies challenged herein apply to and affect Class Members uniformly and Plaintiffs’ challenges of these policies hinges on Defendant's conduct with respect to the Class as a whole, not on facts or law applicable only to Plaintiffs. 167. Adequacy: Plaintiffs will fairly and adequately represent and protect the interests of the Class Members in that they have no disabling conflicts of interest that would be antagonistic to those of the other Class Members. Plaintiffs seek no relief that is antagonistic or adverse to the Class Members and the infringement of the rights and the damages he has suffered are typical of other Class Members. Plaintiffs have retained counsel experienced in complex class action and data breach litigation, and Plaintiffs intend to prosecute this action vigorously. 168. Superiority and Manageability: The class litigation is an appropriate method for fair and efficient adjudication of the claims involved. Class action treatment is superior to all other available methods for the fair and efficient adjudication of the controversy alleged herein; it will permit a large number of Class Members to prosecute their common claims in a single forum simultaneously, efficiently, and without the unnecessary duplication of evidence, effort, and expense that thousands of individual actions would require. Class action treatment will permit the adjudication of relatively modest claims by certain Class Members, who could not individually afford to litigate a complex claim against large corporations, like Defendant. Further, even for those Class Members who could afford to litigate such a claim, it would still be economically impractical and impose a burden on the courts. 169. The nature of this action and the nature of laws available to Plaintiffs and Class Members make the use of the class action device a particularly efficient and appropriate procedure to afford relief to Plaintiffs and Class Members for the wrongs alleged because Defendant would necessarily gain an unconscionable advantage since they would be able to exploit and overwhelm the limited resources of each individual Class Member with superior financial and legal resources; the costs of individual suits could unreasonably consume the amounts that would be recovered; proof of a common course of conduct to which Plaintiffs were exposed is representative of that experienced by the Class and will establish the right of each Class Member to recover on the causes of action alleged; and individual actions would create a risk of inconsistent results and would be unnecessary and duplicative of this litigation. 170. The litigation of the claims brought herein is manageable. Defendant's uniform conduct, the consistent provisions of the relevant laws, and the ascertainable identities of Class Members demonstrate that there would be no significant manageability problems with prosecuting this lawsuit as a class action. 171. Adequate notice can be given to Class Members directly using information maintained in Defendant's records. 172. Unless a Class-wide injunction is issued, Defendant may continue in its failure to properly secure the PII of Class Members, PII will be released to the dark web, Defendant may continue to refuse to provide proper notification to Class Members regarding the Data Breach, and Defendant may continue to act unlawfully as set forth in this Petition. 173. Further, Defendant has acted on grounds that apply generally to the Class as a whole, so that class certification, injunctive relief, and corresponding declaratory relief are appropriate on a class-wide basis. 174. Likewise, particular issues under Rule 42(d)(1) are appropriate for certification because such claims present only particular, common issues, the resolution of which would advance the disposition of this matter and the parties’ interests therein. Such particular issues include, but are not limited to: i. Whether Defendant failed to timely notify the Plaintiffs and the class of the Data Breach; ii. Whether Defendant owed a legal duty to Plaintiffs and the Class to exercise due care in collecting, storing, and safeguarding their Private Information; iii. Whether Defendant's security measures to protect their data systems were reasonable in light of best practices recommended by data security experts; iv. Whether Defendant's failure to institute adequate protective security measures amounted to negligence; v. Whether Defendant failed to take commercially reasonable steps to safeguard consumer Private Information; and vi. Whether adherence to FTC security recommendations, and measures recommended by data security experts would have reasonably prevented the Data Breach. V. CAUSES OF ACTION COUNT 1 NEGLIGENCE (On Behalf of Plaintiffs and the Class) 175. Plaintiffs re-allege and incorporate by reference all preceding allegations, as if fully set forth herein. 176. Defendant gathered and stored the PII of Plaintiffs and Class Members as part of its business of offering employment and gym services. 177. Plaintiffs and Class Members entrusted Defendant with their PII with the understanding that Defendant would safeguard their information. 178. Defendant had full knowledge of the sensitivity of the PII and the types of harm that Plaintiffs and Class Members could and would suffer if the PII were wrongfully disclosed. 179. By assuming the responsibility to collect and store this data, and in fact doing so, and sharing it and using it for commercial gain, Defendant had a duty of care to use reasonable means to secure and safeguard their computer system property—and Class Members’ PII held within it—to prevent disclosure of the information, and to safeguard the information from theft. Defendant’s duty included a responsibility to implement processes by which they could detect a breach of its security systems in a reasonably expeditious period of time and to give prompt notice to those affected in the case of a data breach. 180. Defendant had a duty to employ reasonable security measures under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45, which prohibits “unfair . . . practices in or affecting commerce,” including, as interpreted and enforced by the FTC, the unfair practice of failing to use reasonable measures to protect confidential data. 181. Defendant owed a duty of care to Plaintiffs and Class Members to provide data security consistent with industry standards and other requirements discussed herein, and to ensure that its systems and networks adequately protected the Private Information. 182. Defendant's duty of care to use reasonable security measures arose as a result of the special relationship that existed between Defendant and Plaintiffs and Class Members. That special relationship arose because Plaintiffs and the Class entrusted Defendant with their confidential Private Information. 183. Defendant’s duty to use reasonable care in protecting confidential data arose not only as a result of the statutes and regulations described above, but also because Defendant is bound by industry standards to protect confidential Private Information. 184. Defendant was subject to an “independent duty,” untethered to any contract between Defendant and Plaintiffs or the Class. 185. Defendant also had a duty to exercise appropriate clearinghouse practices to remove Private Information it was no longer required to retain pursuant to regulations. 186. Moreover, Defendant had a duty to promptly and adequately notify Plaintiffs and the Class of the Data Breach. Defendant breached that duty by failing to provide Plaintiffs and Class Members adequate notification of the details of the Data Breach. 187. Defendant had and continues to have a duty to adequately disclose that the PII of Plaintiffs and the Class within Defendant’s possession might have been compromised, how it was compromised, precisely the types of data that were compromised and when, and whether PII is published to the dark web. Such notice was necessary to allow Plaintiffs and the Class to take steps to prevent, mitigate, and repair any identity theft and the fraudulent use of their PII by third parties. 188. Defendant breached its duties, pursuant to the FTC Act and other applicable standards, and thus was negligent, by failing to use reasonable measures to protect Class Members’ Private Information. The specific negligent acts and omissions committed by Defendant include, but are not limited to, the following: i. Failing to adopt, implement, and maintain adequate security measures to safeguard Plaintiffs and Class Members’ Private Information; ii. Failing to provide Plaintiffs and Class Members timely notice of the Data Breach; iii. Failing to adequately monitor the security of their networks and systems; iv. Allowing unauthorized access to Plaintiffs’ and Class Members’ Private Information; v. Failing to detect in a timely manner that Class Members’ Private Information had been compromised; vi. Failing to remove Private Information it was no longer required to retain pursuant to regulations; vii. Failing to timely and adequately notify Class Members about the Data Breach’s occurrence and scope, so that they could take appropriate steps to mitigate the potential for identity theft and other damages; and viii. Failing to secure its stand-alone personal computers, such as the reception desk computers, even after discovery of the data breach. 189. Defendant violated Section 5 of the FTC Act by failing to use reasonable measures to protect Private Information and not complying with applicable industry standards, as described in detail herein. Defendant’s conduct was particularly unreasonable given the nature and amount of Private Information it obtained and stored and the foreseeable consequences of the immense damages that would result to Plaintiffs and the Class. 190. Plaintiffs and Class Members were within the class of persons the Federal Trade Commission Act was intended to protect and the type of harm that resulted from the Data Breach was the type of harm this statute was intended to guard against. 191. Defendant’s violation of Section 5 of the FTC Act constitutes negligence. 192. The FTC has pursued enforcement actions against businesses, which, as a result of their failure to employ reasonable data security measures and avoid unfair and deceptive practices, caused the same harm as that suffered by Plaintiffs and the Class. 193. A breach of security, unauthorized access, and resulting injury to Plaintiffs and the Class was reasonably foreseeable, particularly in light of Defendant’s inadequate security practices. 194. It was foreseeable that Defendant’s failure to use reasonable measures to protect Class Members’ Private Information would result in injury to Class Members. Further, the breach of security was reasonably foreseeable given the known high frequency of cyberattacks and data breaches. 195. Defendant has full knowledge of the sensitivity of the PII and the types of harm that Plaintiffs and the Class could and would suffer if the PII were wrongfully disclosed. 196. Plaintiffs and the Class were the foreseeable and probable victims of any inadequate security practices and procedures. Defendant knew or should have known of the inherent risks in collecting and storing the PII of Plaintiffs and the Class, the critical importance of providing adequate security of that PII, and the necessity for encrypting PII stored on Defendant’s systems or transmitted through third party systems. 197. Plaintiffs and the Class had no ability to protect their PII that was in, and possibly remains in, Defendant’s possession. 198. Defendant was in a position to protect against the harm suffered by Plaintiffs and the Class as a result of the Data Breach. 199. Defendant’s duty extended to protecting Plaintiffs and the Class from the risk of foreseeable criminal conduct of third parties, which has been recognized in situations where the actor’s own conduct or misconduct exposes another to the risk or defeats protections put in place to guard against the risk, or where the parties are in a special relationship. See Restatement (Second) of Torts § 302B. Numerous courts and legislatures have also recognized the existence of a specific duty to reasonably safeguard personal information. 200. But for Defendant’s wrongful and negligent breach of duties owed to Plaintiffs and the Class, the PII of Plaintiffs and the Class would not have been compromised. 201. There is a close causal connection between Defendant’s failure to implement security measures to protect the PII of Plaintiffs and the Class and the harm, or risk of imminent harm, suffered by Plaintiffs and the Class. The PII of Plaintiffs and the Class was lost and accessed as the proximate result of Defendant’s failure to exercise reasonable care in safeguarding such PII by adopting, implementing, and maintaining appropriate security measures. 202. As a direct and proximate result of Defendant’s negligence, Plaintiffs and the Class have suffered and will suffer injury, including but not limited to: (i) invasion of privacy; (ii) lost or diminished value of PII; (iii) lost time and opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (iv) loss of benefit of the bargain; (v) lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (vi) statutory damages; (vii) nominal damages; and (viii) the continued and certainly increased risk to their PII, which: (a) remains unencrypted and available for unauthorized third parties to access and abuse; and (b) remains backed up in Defendant’s possession and is subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect the PII. 203. Additionally, as a direct and proximate result of Defendant’s negligence, Plaintiffs and the Class have suffered and will suffer the continued risks of exposure of their PII, which remain in Defendant’s possession and is subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect the PII in its continued possession. 204. Plaintiffs and Class Members are entitled to compensatory and consequential damages suffered as a result of the Data Breach. 205. Plaintiffs and Class Members are also entitled to injunctive relief requiring Defendant to (i) strengthen its data security systems and monitoring procedures; (ii) submit to future annual audits of those systems and monitoring procedures; and (iii) provide adequate credit monitoring to all Class Members. COUNT II NEGLIGENCE PER SE (On Behalf of Plaintiffs and the Class) 206. Plaintiffs re-allege and incorporate by reference all preceding allegations, as if fully set forth herein. 207. Pursuant to the Federal Trade Commission Act, 15 U.S.C. § 45, Defendant had a duty to provide fair and adequate computer systems and data security practices to safeguard Plaintiffs’ and Class Members’ Private Information. 208. Defendant breached its duties to Plaintiffs and Class Members under the FTCA by failing to provide fair, reasonable, or adequate computer systems and data security practices to safeguard Plaintiffs’ and Class Members’ Private Information. 209. Defendant’s failure to comply with applicable laws and regulations constitutes negligence *per se*. 210. Plaintiffs and Class Members are within the class of persons the FTC Act was intended to protect and the harm to Plaintiffs and Class Members resulting from the Data Breach was the type of harm against which the statutes were intended to prevent. 211. But for Defendant’s wrongful and negligent breach of their duties owed to Plaintiffs and Class Members, Plaintiffs and Class Members would not have been injured. 212. The injury and harm suffered by Plaintiffs and Class Members was the reasonably foreseeable result of Defendant’s breach of its duties. Defendant knew or should have known that the failure to meet its duties, and that Defendant’s breach would cause Plaintiffs and Class Members to experience the foreseeable harms associated with the exposure of their Private Information. 213. Plaintiffs and Class Members were damaged as a result of Defendant's negligence. 214. As a direct and proximate result of Defendant’s negligent conduct, Plaintiffs and Class Members have suffered injury and are entitled to compensatory, consequential, and punitive damages in an amount to be proven at trial. COUNT III BREACH OF IMPLIED CONTRACT (On Behalf of Plaintiffs and the Class) 215. Plaintiffs re-allege and incorporate by reference all preceding allegations, as if fully set forth herein. 216. Plaintiffs and the Class entrusted their PII to Defendant. In so doing, Plaintiffs and the Class entered into implied contracts with Defendant by which Defendant agreed to safeguard and protect such information, to keep such information secure and confidential, and to timely and accurately notify Plaintiffs and the Class if their data had been breached and compromised or stolen. 217. In entering into such implied contracts, Plaintiffs and Class Members reasonably believed and expected that Defendant’s data security practices complied with relevant laws and regulations and were consistent with industry standards. 218. Implicit in the agreement between Plaintiffs and Class Members and the Defendant to provide PII, was the latter’s obligation to: (a) use such PII for business purposes only, (b) take reasonable steps to safeguard that PII, (c) prevent unauthorized disclosures of the PII, (d) provide Plaintiffs and Class Members with prompt and sufficient notice of any and all unauthorized access and/or theft of their PII, (e) reasonably safeguard and protect the PII of Plaintiffs and Class Members from unauthorized disclosure or uses, (f) retain the PII only under conditions that kept such information secure and confidential. 219. The mutual understanding and intent of Plaintiffs and Class Members on the one hand, and Defendant, on the other, is demonstrated by their conduct and course of dealing. 220. Defendant solicited, offered, and invited Plaintiffs and Class Members to provide their PII as part of Defendant’s regular business practices. Plaintiffs and Class Members accepted Defendant’s offers and provided their PII to Defendant. 221. In accepting the PII of Plaintiffs and Class Members, Defendant understood and agreed that it was required to reasonably safeguard the PII from unauthorized access or disclosure. 222. On information and belief, at all relevant times Defendant promulgated, adopted, and implemented written privacy policies whereby it expressly promised Plaintiffs and Class Members that it would only disclose PII under certain circumstances, none of which relate to the Data Breach. 223. On information and belief, Defendant further promised to comply with industry standards and to make sure that Plaintiffs’ and Class Members’ PII would remain protected. 224. Plaintiffs and Class Members would not have entrusted their PII to Defendant in the absence of the implied contract between them and Defendant to keep their information reasonably secure. 225. Plaintiffs and Class Members would not have entrusted their PII to Defendant in the absence of their implied promise to monitor their computer systems and networks to ensure that it adopted reasonable data security measures. 226. Plaintiffs and Class Members fully and adequately performed their obligations under the implied contracts with Defendant. 227. Defendant breached the implied contracts it made with Plaintiffs and the Class by failing to safeguard and protect their personal information, by failing to delete the information of Plaintiffs and the Class once the relationship ended, and/or by failing to provide accurate notice to them that personal information was compromised as a result of the Data Breach. 228. As a direct and proximate result of Defendant’s breach of the implied contracts, Plaintiffs and Class Members sustained damages, as alleged herein, including the loss of the benefit of the bargain. Specifically, Plaintiffs and Class Members were damaged as a result of Defendant's breach (as alleged above). 229. Plaintiffs and Class Members are entitled to compensatory, consequential, and nominal damages suffered as a result of the Data Breach. 230. Plaintiffs and Class Members are also entitled to injunctive relief requiring Defendant to, e.g., (i) strengthen its data security systems and monitoring procedures; (ii) submit to future annual audits of those systems and monitoring procedures; and (iii) immediately provide adequate credit monitoring to all Class Members. COUNT IV UNJUST ENRICHMENT (On Behalf of Plaintiffs and the Class) 231. Plaintiffs re-allege and incorporate by reference all preceding allegations, as if fully set forth herein. 232. Plaintiffs bring this count in the alternative to the breach of implied contract count above. 233. Plaintiffs and Class Members conferred a monetary benefit on Defendant. Specifically, Defendant and/or its agents were paid for Defendant’s services and in so doing, Plaintiffs and Class Members also provided Defendant with their PII. In exchange, Plaintiffs and Class Members should have received from Defendant the services that were the subject of the transaction and should have had their PII protected with adequate data security. 234. Defendant knew that Plaintiffs and Class Members conferred a benefit upon it and has accepted and retained that benefit by accepting and retaining the PII entrusted to it. Defendant profited from Plaintiffs’ retained data and used Plaintiffs’ and Class Members’ PII for business purposes. 235. Defendant failed to secure Plaintiffs’ and Class Members’ PII and, therefore, did not fully compensate Plaintiffs or Class Members for the value that their PII provided. 236. Defendant acquired the PII through inequitable record retention as it failed to investigate and/or disclose the inadequate data security practices previously alleged. 237. If Plaintiffs and Class Members had known that Defendant would not use adequate data security practices, procedures, and protocols to adequately monitor, supervise, and secure their PII, they would not have entrusted their PII to Defendant. 238. Plaintiffs and Class Members have no adequate remedy at law. 239. Under the circumstances, it would be unjust for Defendant to be permitted to retain any of the benefits that Plaintiffs and Class Members conferred upon it. 240. As a direct and proximate result of Defendant’s conduct, Plaintiffs and Class Members have suffered and will suffer injury, including but not limited to: (i) invasion of privacy; (ii) lost or diminished value of PII; (iii) lost time and opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (iv) loss of benefit of the bargain; (v) lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (vi) statutory damages; (vii) nominal damages; and (viii) the continued and certainly increased risk to their PII, which: (a) remains unencrypted and available for unauthorized third parties to access and abuse; and (b) remains backed up in Defendant’s possession and is subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect the PII. 241. Plaintiffs and Class Members are entitled to full refunds, restitution, and/or damages from Defendant and/or an order proportionally disgorging all profits, benefits, and other compensation obtained by Defendant from its wrongful conduct. This can be accomplished by establishing a constructive trust from which the Plaintiffs and Class Members may seek restitution or compensation. 242. Plaintiffs and Class Members may not have an adequate remedy at law against Defendant, and accordingly, they plead this claim for unjust enrichment in addition to, or in the alternative to, other claims pleaded herein. VI. PRAYER FOR RELIEF WHEREFORE, Plaintiffs, on behalf of themselves and Class Members, request judgment against Defendant and that the Court grants the following: A. For an Order certifying the Class under Okla. Stat. tit. 12 § 2023, defining the Class as requested herein, appointing the undersigned as Class counsel, and finding that Plaintiffs are proper representatives of the Class requested herein; B. For a judgment in favor of Plaintiffs and the Class, awarding them appropriate monetary relief, including compensatory damages, punitive damages, nominal damages, attorneys’ fees, expenses, costs, and such other and further relief as is just and proper; C. For injunctive relief requested by Plaintiffs, including but not limited to, injunctive and other equitable relief as is necessary to protect the interests of Plaintiffs and Class Members, including but not limited to an order: i. prohibiting Defendant from engaging in the wrongful and unlawful acts described herein; ii. requiring Defendant to provide Plaintiffs and the Class Members full and adequate notice of the Data Breach and the details surrounding the Data Breach; iii. requiring Defendant to protect, including through encryption, all data collected through the course of its business in accordance with all applicable regulations, industry standards, and federal, state or local laws; iv. requiring Defendant to delete, destroy, and purge the personal identifying information of Plaintiffs and Class Members unless Defendant can provide to the Court reasonable justification for the retention and use of such information when weighed against the privacy interests of Plaintiffs and Class Members; v. requiring Defendant to provide out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their PII for Plaintiffs’ and Class Members’ respective lifetimes; vi. requiring Defendant to implement and maintain a comprehensive Information Security Program designed to protect the confidentiality and integrity of the PII of Plaintiffs and Class Members; vii. prohibiting Defendant from maintaining the PII of Plaintiffs and Class Members on a cloud-based database; viii. requiring Defendant to engage independent third-party security auditors/penetration testers as well as internal security personnel to conduct testing, including simulated attacks, penetration tests, and audits on Defendant’s systems on a periodic basis, and ordering Defendant to promptly correct any problems or issues detected by such third-party security auditors; ix. requiring Defendant to engage independent third-party security auditors and internal personnel to run automated security monitoring; x. requiring Defendant to audit, test, and train its security personnel regarding any new or modified procedures; xi. requiring Defendant to segment data by, among other things, creating firewalls and controls so that if one area of Defendant’s network is compromised, hackers cannot gain access to portions of Defendant’s systems; xii. requiring Defendant to conduct regular database scanning and securing checks; xiii. requiring Defendant to establish an information security training program that includes at least annual information security training for all employees, with additional training to be provided as appropriate based upon the employees’ respective responsibilities with handling personal identifying information, as well as protecting the personal identifying information of Plaintiffs and Class Members; xiv. requiring Defendant to routinely and continually conduct internal training and education, and on an annual basis to inform internal security personnel how to identify and contain a breach when it occurs and what to do in response to a breach; xv. requiring Defendant to implement a system of tests to assess its respective employees’ knowledge of the education programs discussed in the preceding subparagraphs, as well as randomly and periodically testing employees’ compliance with Defendant’s policies, programs, and systems for protecting personal identifying information; xvi. requiring Defendant to implement, maintain, regularly review, and revise as necessary a threat management program designed to appropriately monitor Defendant’s information networks for threats, both internal and external, and assess whether monitoring tools are appropriately configured, tested, and updated; xvii. requiring Defendant to meaningfully educate all Class Members about the threats that they face as a result of the loss of their confidential personal identifying information to third parties, as well as the steps affected individuals must take to protect themselves; and xviii. requiring Defendant to implement logging and monitoring programs sufficient to track traffic to and from Defendant’s servers. D. For an order requiring Defendant to pay the costs involved in notifying the Class about the judgment and administering the claims process; E. For a judgment in favor of Plaintiffs and the Class, awarding them pre-judgment and post-judgment interest, reasonably attorneys’ fees, costs, and expenses as allowable by law; and F. Such other and further relief as this Court may deem just and proper. JURY TRIAL DEMANDED Plaintiffs demand a trial by jury on all claims so triable. Dated: February 9, 2026 Respectfully submitted, /s/ William B. Federman William B. Federman, OBA No. 2853 Jonathan Herrera, OBA No. 33529 FEDERMAN & SHERWOOD 10205 N. Pennsylvania Ave. Oklahoma City, OK 73120 Tel: (405) 235-1560 Email: [email protected] Email: [email protected] Counsel for Plaintiffs and the Proposed Class EXHIBIT 1 Excel Fitness c/o Cyberscout PO Box 1286 Dearborn, MI 48120-9998 PM8Q0X00101521 SEYCHELLE KESSLER August 8, 2025 Dear Seychelle Kessler, Excel Fitness is writing to inform you of an incident that may have involved some of your personal information. We take the privacy and security of data in our care very seriously and are providing information about the incident, our response, and steps you can take to help protect your information. What Happened: On or around January 17, 2025, we became aware of potential unauthorized access into an employee’s email account. Upon discovery, we took immediate action to address and investigate the event, which included engaging third-party specialists to assist with determining the nature and scope of the incident. The investigation confirmed that a limited number of employee email accounts were intermittently subject to unauthorized access for limited periods of time between September 16, 2024, and January 18, 2025. Therefore, we conducted a comprehensive review of the relevant information to determine the types of information present and to whom that information related. After a thorough investigation, the preliminary results of the review were received, and we then promptly began working to confirm necessary address information to provide relevant individuals with notification. On July 9, 2025, all necessary information was confirmed, and we then worked to notify relevant individuals as quickly as possible. What Information Was Involved: The potentially affected information may have included your first and last name, in combination with your Social Security Number. What We Are Doing: We have taken steps to address the event and are committed to protecting the information that you have entrusted to us. Upon learning of this incident, we immediately took steps to secure our email environment and launched a thorough investigation. As an additional safeguard for your information, we arranged for you to enroll, at no cost to you, in an online credit monitoring service for 12 months. Due to state and federal privacy laws, we cannot enroll you directly. If you wish to take advantage of this complimentary credit monitoring service, you must enroll yourself and additional information regarding how to enroll is enclosed. What You Can Do: In addition to enrolling in the complimentary credit monitoring service detailed within, we recommend that you remain vigilant against incidents of identity theft and fraud by reviewing your credit reports/account statements for suspicious activity and to detect errors. If you discover any suspicious or unusual activity on your accounts, please promptly contact the financial institution or company. We have also provided additional information below, which contains more information about steps you can take to help protect yourself against fraud and identity theft.