Pittsburg law firm Davies, McFarland, & Carroll yesterday confirmed it notified 54,712 people of a May 2025 data breach that compromised the following personal info:
- Names
- Social Security numbers
- Medical treatment or history
- Health insurance info
- Dates of birth
- Addresses
Ransomware gang Lynx took credit for the attack on June 4, 2025.
Davies, McFarland & Carroll has not verified Lynx’s claim. We do not know if the firm paid a ransom, how much Lynx demanded, or how attackers breached the firm’s network. Comparitech contacted Davies, McFarland & Carroll for comment and will update this article if it replies.
“On or about May 22, 2025, DMC detected that an unauthorized party obtained access to our internal network,” says the firm’s notice to victims.
“After an extensive forensic investigation and document review, on September 25, 2025, we determined that certain files containing your information were stored in the impacted systems and may have been subject to unauthorized access or acquisition between May 19, 2025 and May 22, 2025.”
Davies, McFarland & Carroll is offering eligible victims 12 months of free credit monitoring and fraud assistance through TransUnion. The enrollment deadline is 90 days from receipt of the notice letter in the mail.
Who is Lynx?
Lynx is a spin-off of Inc, another prominent ransomware group. Lynx operates a ransomware-as-a-service scheme in which affiliates pay Lynx to use its malware and infrastructure to launch attacks and collect ransoms. Lynx’s malware both steals data and encrypts target systems.
Lynx has claimed responsibility for 316 attacks since it began listing targets on its data leak site in July 2024. 45 of those claims were confirmed by the targeted organizations, which notified more than 200,000 people of the ensuing data breaches.
Some of Lynx’s other recently-confirmed attacks include those on:
- Riverside Resort Hotel and Casino in July 2024
- TriMed in October 2025
- Silverado Contractors in December 2024
- Oakland Museum of California in July 2025
- True World Foods in August 2025
- Telcom Insurance Group in May 2025
Ransomware attacks on US legal firms
Comparitech researchers have logged 18 confirmed ransomware attacks on US law firms in 2025 to date, compromising nearly 80,000 records. This attack on Davies, McFarland, & Carroll is the largest by far, followed by a February 2025 attack on Montgomery, Little & Soran.
Murphy, Pearson, Bradley & Feeney confirmed a breach earlier this month following an April 2025 attack claimed by Akira.
Ransomware gangs have made another 200 unconfirmed attack claims against US law firms this year that haven’t been publicly acknowledged by the targeted firms.
Ransomware attacks on US law firms can jeopardize sensitive client data and lock down computer systems used for everything from file storage to communication and payroll. If a firm doesn’t pay the ransom, the attack can cause costly delays and downtime while putting clients at risk of fraud.
About Davies, McFarland, & Carroll
Davies, McFarland & Carroll, LLC is a defense litigation law firm based in Pittsburgh, Pennsylvania. It employs six attorneys whose practice areas include commercial, product, and civil litigation; insurance defense; environmental law, medical malpractice, and mediation.
