Yale University has been hit with its second putative class action in 10 weeks over a data breach that could have affected more than 119,000 alumni, faculty and staff.

The federal lawsuit was e-filed Monday evening in the U.S. District Court for the District of Connecticut. It asserts that in June 2018 Yale discovered during a security review of its servers that hackers gained access to electronic records containing personal information stored on its database between April 2008 and January 2009.

The breach, the lawsuit says, included the disclosure of names and Social Security numbers. It also included, in almost all instances, dates of birth, email addresses and, in some cases, physical addresses.

The latest lawsuit was filed on behalf of plaintiff Andrew Mason, a Virginia resident who attended a summer program at Yale during 2005. A similar lawsuit was filed Aug. 1 on behalf of Julie Mason, who also previously attended Yale. It's not clear if Andrew and Julie Mason are related.

Those affected, the lawsuit says, were notified of the breach about six weeks after the university found out  about it. Yale offered 12 months of free identity-theft protection services to those notified.

But the new 15-page lawsuit seeks to hold the university liable for the breach. The three-count complaint alleges negligence, unfair trade practices under the Connecticut General Statutes, and reckless, wanton and willful misconduct.

Yale, the lawsuit maintains, “improperly retained personal information, which was subsequently transferred to unauthorized persons during the breach, as evidenced by its statements that the personal identification information compromised in the breach was deleted from servers in September 2011 because it was unnecessary personal data.”

Karen Peart, director of external communications for Yale, said the university would not be commenting on the matter. As of Tuesday afternoon, Yale had not assigned attorneys to the case.

The lawsuit cites the Yale Daily News on Aug. 2 as saying the perpetrators of the breach are unknown, and that the university isn't pursuing an investigation because identifying the culprit or culprits a decade later would “not be possible.”

The lawsuit also alleges Yale has had previous cybersecurity concerns.

The university, the complaint says, had known about its data privacy issues since at least 2011 when it discovered that 43,000 Yale community members' Social Security numbers had been accessible online for almost a year.

“It was again made aware of its data security issues when it was notified in 2012 by the hacker group, NullCrew, that it obtained personal information about Yale students and staff members by exploiting security faults in Yale's databases,” the suit claims.

The lawsuit also alleges the university's “substandard security practices” led to the breach. It seeks class certification, compensatory and punitive damages, plus declaratory and injunctive relief as the court deems appropriate.

The plaintiff is represented by six attorneys: James Miller and Laurie Rubinow of Chester-based Shepherd, Finkelman, Miller & Shah; Gary Mason and Danielle Perry of the Washington, D.C.-based Whitfield Bryson & Mason; Charles Schaffer of Levin Sedran & Berman in Philadelphia; and Jeffrey Goldenberg of Cincinnati-based Goldenberg Schneider.

Goldenberg referred all inquiries Tuesday to Mason, who along with the other five attorneys, did not respond to a request for comment.