If I recall correctly, US Congress passed a resolution [1] shortly after the Equifax breaches became public that essentially restricted the capabilities of people to sue Equifax [2].
I believe the prohibition on ex post facto laws applies only to criminalization of behavior that was previously lawful. That is, it would not apply to civil matters of any sort, and it also would not apply where immunity is effectively conferred—only where prior actions are made illegal.
Upon quick searching, it looks like scholars have debated the civil/criminal point:
You can't be convicted for something that was legal when you did it but was made illegal afterwards, so retroactive prohibitions don't apply.
However, it's not symmetric - lifting prohibitions can be done retroactively, to not prosecute people for things they did back when it was still prohibited.
Unfair, arbitrary prosecution may violate someones rights, but unfair, arbitrary immunity can not - there's no right to get someone else punished.