Abbott Brought Back Into Retirement Plan Cybersecurity Lawsuit

Previously dismissed from the lawsuit, Abbott is accused in an amended complaint of failing to monitor its recordkeeper and failing to enforce a security question routine on its benefits website.

Last month, Abbott Laboratories defendants were dismissed from a lawsuit alleging failures related to an employee’s retirement account theft.

The lawsuit was filed in April by a retiree participant in the Abbott Laboratories Stock Retirement Plan. It alleges that failures in website and call center protocols resulted in $245,000 in unauthorized distributions from the participant’s plan account.

U.S. District Judge Thomas M. Durkin of the U.S. District Court for the Northern District of Illinois found that the complaint’s “conclusory statements” failed to sufficiently allege that Abbott was a fiduciary. He said the complaint also failed to allege any fiduciary acts taken by Abbott linked it to the alleged theft. Durkin pointed out that while the complaint alleged that the call center and website were used to perpetuate the theft, it also indicated that both are operated by Alight.

In a conversation with PLANSPONSOR, Susan Rees, of counsel at The Wagner Law Group, called the decision “provisional” and said she expected the participant could be able to correct pleading errors by “focusing on the actual fiduciaries and plan administrator.” In other words, the judge took Abbott off the hook for procedural reasons, Rees said.

The plaintiff is trying to correct those pleading errors now in a first amended complaint filed October 23. In the new complaint, the plaintiff says the defendants—Abbott; the named plan administrator; and the plan’s recordkeeper, Alight Solutions—failed to enforce a security question routine set up for security purposes on the website,, and instead simply provided a one-time code over the phone that was used to loot her account.

In addition, the complaint mentions other instances of unauthorized distributions in Alight recordkept retirement plans, including from when the company operated as Aon Hewitt, and says Abbott and the plan administrator “were, or should have been, aware of Alight’s demonstrated inability to prevent unauthorized access to plan participants’ information and/or unauthorized transfers of plan funds.” The complaint states that “despite prior instances of data breaches and unauthorized transfers, as well as Alight’s practices that led to a Department of Labor [DOL] investigation, along with Alight’s general lax attitude toward data security,” the plan administrator and Abbott continued to allow Alight to provide services to the plan.

The lawsuit includes claims that Abbott and the plan administrator failed to monitor Alight.