Call +1 (979) 282-5845
Back to news
Cybersecurity Alert
June 1, 2026 by EmailMeNow IT Consulting

Two More Law Firms Report Breaches to Texas OAG: Dykema Gossett and MAS Law

Dykema Gossett PLLC (6,132 Texans) and Modjarrad & Associates d/b/a MAS Law (6,220 Texans) reported data breaches to the Texas Attorney General in late May 2026, extending a string of legal-sector incidents affecting Texas residents.

Source: Texas Office of the Attorney General Data Security Breach Reports

Law FirmsData BreachCybersecurityTexasProfessional Responsibility
Law firm data breach concept with legal documents and digital security warning

Two more law firms have appeared on the Texas Office of the Attorney General’s Data Security Breach Reports page, continuing a steady run of legal-sector incidents affecting Texas residents in 2026. Together, the two firms reported breaches affecting 12,352 Texans.

Dykema Gossett PLLC — 6,132 Texans

Dykema Gossett PLLC, a large full-service firm headquartered at 777 Woodward Avenue, Detroit, Michigan, reported a breach published May 28, 2026. The exposed data was extensive:

  • Names
  • Addresses
  • Social Security numbers
  • Driver’s license numbers
  • Financial information
  • Medical information
  • Health insurance information

The firm reported providing notice to affected consumers via U.S. Mail.

Modjarrad & Associates, PC d/b/a MAS Law — 6,220 Texans

Modjarrad & Associates, PC, doing business as MAS Law, is a Richardson, Texas firm (212 West Spring Valley Rd). Its report, published May 22, 2026, covered 6,220 Texans and an equally sensitive data set:

  • Names
  • Addresses
  • Social Security numbers
  • Driver’s license numbers
  • Government-issued ID numbers
  • Medical information
  • Health insurance information
  • Dates of birth

Notably, the OAG listing indicates consumer notice was not recorded as provided at the time of publication. Under Texas law, entities are generally required to notify affected individuals when 250 or more Texans are involved; “No” entries may reflect timing, an ongoing investigation, or pending notification.

Post-Breach Security Posture Assessment

We ran an independent EmailMeNow Cybersecurity Audit against each firm’s public-facing domain on June 1, 2026. The results show that both firms have gaps that “may weaken documentation of reasonable cybersecurity safeguards” under Texas SB 2610 and TDRPC 1.05 — with Dykema Gossett scoring in the Critical range:

Firm (Domain)OverallRisk Level
Dykema Gossett PLLC (dykema.com)36%Critical Risk
Modjarrad & Associates / MAS Law (maslaw.com)64%High Risk

Key takeaways from the assessments:

  • Dykema Gossett (36%, Critical Risk) lands in the lowest compliance band, indicating gaps that leave the domain highly exposed to email impersonation and phishing of clients.
  • MAS Law (64%, High Risk) scores materially better overall, but still falls within the High Risk band.
  • Neither firm reaches a passing posture, underscoring that even large, well-resourced practices frequently lack documented “reasonable safeguards.”

These public-facing weaknesses don’t prove how either breach occurred, but they illustrate exactly the kind of unhardened identity, transport, and web controls that make a law firm an easier target — and harder to defend as “reasonable safeguards” after the fact.

A Pattern, Not a Coincidence

These two reports are not isolated. They join a growing 2026 list of law firm and legal-service breaches reported to the Texas OAG:

FirmTexans AffectedDate Published
Sprouse Shrader Smith PLLC17,66605/05/2026
Phillip Galyen P.C. dba Bailey & Galyen11,03805/22/2026
Modjarrad & Associates d/b/a MAS Law6,22005/22/2026
Dykema Gossett PLLC6,13205/28/2026
Gearhiser, Peters, Elliott & Cannon, PLLC3,71703/17/2026
Law Office of Michael R. De La Paz2,00004/13/2026
Rodenburg Law Firm60604/24/2026

That is more than 47,000 Texans affected by law firm breaches reported in 2026 alone — and the list keeps growing. (See our earlier review of 21 law firm breaches and the Bailey & Galyen report.)

Why Law Firms Keep Getting Hit

Law firms concentrate exactly the data attackers want: Social Security numbers, driver’s licenses, financial records, medical information, and privileged client communications — often across many clients in a single matter. A breach can trigger:

  • Texas breach-notification obligations (250+ Texans affected)
  • Potential class-action exposure
  • Professional-responsibility scrutiny under TDRPC 1.05 (confidentiality of client information)
  • Questions about “reasonable safeguards” under Texas SB 2610

What Firms Should Do Now

The defenses are well established and defensible to document:

  • Identity & spoofing protection — enforce strict SPF (-all) and DMARC (p=reject) with a subdomain policy
  • Transport security — deploy MTA-STS in enforce mode, enable TLS-RPT and DNSSEC
  • Website security — add HSTS, CSP, and X-Frame-Options headers
  • Multi-factor authentication — on email, document management, and financial systems
  • Vendor risk — review third-party access to client data
  • Backups — protect from ransomware and test restoration
  • Training & response — phishing awareness plus a documented, rehearsed incident-response plan
  • Document everything for SB 2610 safe-harbor and TDRPC 1.05 compliance

Check your firm’s public-facing security posture with a free Instant Cybersecurity Audit:

For help responding to or preventing incidents like these, contact EmailMeNow IT Consulting for a full hardening package.

Source: Texas Office of the Attorney General – Data Security Breach Reports