NBC 4 in Washington, D.C., has reported that two unions have joined in a lawsuit against the Office of Personnel Management over a privacy breach that they say might have affected 14 million people.

OPM head Katherine Archuleta is named as a defendant in the suit along with chief information officer Donna Seymour. Among the plaintiffs are the American Federation of Government Employees and the AFL-CIO.

Part of the suit alleges:

From 2007 to the present, the OPM, Seymour, and Archuleta — who has served as the OPM’s director since November 2013 — repeatedly failed to comply with federal law and make the changes required by the OIG’s annual audit reports. Thus the OPM failed to comply with the Privacy Act which requires federal agencies to “establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.”

National Review’s Jim Geraghty has published a piece on “the hack who let OPM get hacked” and now finds herself a defendant in a $1 billion privacy suit.