Montana’s Largest Newspaper Company Agrees to $9.5 Million Payout, Faces 3 New Class-Action Claims
By Clark Kauffman, Iowa Capital Dispatch as part of States Newsroom
Montana’s largest newspaper company, Lee Enterprises,has agreed to pay $9.5 million to subscribers alleging privacy violations and is now facing three invasion-of-privacy lawsuits from current or former employees.
The three new lawsuits, each filed in U.S. District Court for the Southern District of Iowa, allege that Lee, which owns hundreds of newspapers and specialty publications in Iowa and 24 other states, is guilty of negligence, breach of an implied contract, unjust enrichment and invasion of privacy.
Lee’s Montana newspapers include The Billings Gazette, Missoulian, the Montana Standard, Helena Independent Record and the Ravalli Republic.
Each of the three lawsuits is seeking class-action status in pursuit of damages on behalf of thousands of current and former Lee employees whose personal information is believed to have been accessed by cybercriminals. The three named plaintiffs in the cases are Nicole Church of Colona, Illinois; Declan Lawson of Missoula, Montana; and Anthony Bangert of Wisconsin.
According to the lawsuits, on June 3, 2025, Lee began sending letters to current and former employees advising of them that the private information of certain employees had been accessed by others without authorization. The lawsuits allege the letters omitted details such as the cause of the data breach, the system vulnerabilities that had been exploited, and any remedial measures undertaken to guard against additional security breaches.
In one of the cases, the plaintiff asserts the “purported disclosure amounts to no real disclosure at all” in that it fails to provide critical facts surrounding the incident, limiting workers’ ability to take steps to mitigate any damages that might result. Lee, the lawsuits claim, could have prevented the data breach by properly securing and encrypting the files and file servers containing the employees’ private information and by training its employees on standard cybersecurity practices.
The data breach, one of the plaintiffs alleges, could have been avoided had Lee “bothered to implement basic monitoring and detection systems, which then would have stopped the data breach or greatly reduced its impact.”
Lee Enterprises has yet to file a response to the lawsuits, and Tracy Rouch, director of communications for Lee, said the company does not comment on pending litigation.
However, Lee has stated that it has incurred $2 million in expenses related to restoring data systems in the wake of the February 2025 cyberattack. The company has also indicated the data breach affected the company’s finances by hampering its ability to bill customers and pay vendors.
The Qilin ransomware group has claimed credit for the attack and alleged that it gained access to 350 gigabytes of data. It also shared samples of what it claimed was data stolen from the company, including contracts, financial spreadsheets, non-disclosure agreements and other confidential files.
In SEC filings and in a filing with the attorney general of Maine, Lee indicated the data breach involved documents containing personally identifiable information related to 39,779 individuals. The documents may include a mix of names, Social Security numbers, driver’s license data, financial account numbers, medical information and health insurance data, according to the Maine attorney general.
The plaintiffs Lawson and Bangert are each represented by the law firm of Shindler, Anderson, Goplerud & Weese of West Des Moines. Church is represented by Josh Christensen of RSH Legal in Cedar Rapids.
Lee agrees to $9.5 million payout in subscriber case
It’s not the first time data systems at Lee have been hacked. In 2020, Iranian cybercriminals allegedly gained access to the company’s systems as part of a what prosecutors claimed was a campaign to spread disinformation related to the 2020 presidential election. Two Iranian nationals were later charged with conspiracy to commit computer fraud and abuse, intimidate voters, and transmit interstate threats. Court records indicate the criminal case remains open and active.
In December 2022, a group of subscribers to Lee newspapers sued the company, alleging it had failed to disclose that their personal identifying information was being captured by various tracking methods embedded in Lee websites and then transferred to the social-media company Facebook where it could be accessed by others.
The lawsuit, which attained class-action status, alleged individuals could use fairly basic web-browsing tools to see the titles of whatever video content had triggered the initial exchange of information between Lee and Facebook, providing an indirect link between named Facebook users and the specific videos those users had watched on Lee websites.
The plaintiffs in that case sought a temporary injunction requiring Lee to immediately remove tracking tools from the company’s websites and to obtain the appropriate consent from subscribers for any information sharing that may take place.
In March 2025, the parties in that case reached a proposed settlement which they presented to the court for preliminary approval.
According to public court filings, the proposed settlement grew out of an all-day mediation session in November 2024 before Judge Wayne R. Andersen in Fort Myers, Florida. Andersen later provided a mediator’s proposal that recommended the matter be resolved by Lee or its insurer paying $9.5 million to settle the case, and the parties agreed.
Court records indicate the proposed settlement involves 1,528,941 paid subscribers to Lee newspapers who accessed video material on a Lee website at any time between December 2020 through March 4, 2025, and who used Facebook during that same period.
In a memorandum supporting court approval of the settlement, the parties state that the “$9,500,000 will yield a significant benefit to each of the participating class members,” while avoiding costly litigation that could drag on for years.
According to the court records, the settlement agreement also requires revisions to Lee’s business practices.
A court hearing on final approval of the settlement agreement is now scheduled for August 7, 2025.
This story was originally produced by the Iowa Capital Dispatch which is part of States Newsroom, a nonprofit news network, including the Daily Montanan, supported by grants and a coalition of donors as a 501c(3) public charity.
Editor’s note: Iowa Capital Dispatch Deputy Editor Clark Kauffman was employed by Lee Enterprises from 1987 to 2000 and Editor-in-chief Kathie Obradovich was employed by the company from 1987 to 2003. News stories from the Iowa Capital Dispatch are sometimes republished in Lee Enterprises’ Iowa newspapers.