Health plan information for over 2.6 million stolen from third-party admin Navia

Navia Benefit Solutions said millions of people had health plan information, Social Security numbers and other sensitive data stolen during a security incident that began in December.

The company is a third-party administrator for more than 10,000 companies, managing company healthcare benefits like Health Reimbursement Arrangements (HRAs) and Flexible Spending Accounts (FSAs) as well as commuter benefits and other employee spending accounts. 

Navia confirmed the breach in a notice on its website and with regulators in Maine, where the company said 2,697,540 people were affected. 

The breach notification letters say names, dates of birth, Social Security numbers, phone numbers, email addresses and detailed health plan information was stolen during the cyberattack, which was discovered on January 23.

Navia said the health plans impacted include HRAs, FSAs and Consolidated Omnibus Budget Reconciliation Act (COBRA) plans. 

“Additionally, potentially impacted data points are limited to items such as termination date and election date. No claims or financial data were disclosed,” Navia explained. 

An investigation revealed the hackers were in Navia’s systems from December 22 to January 15. Federal law enforcement and the U.S. Department of Health and Human Services were notified of the attack when it was discovered, according to the letters. 

Washington state’s healthcare authority sent out a local notice warning residents that Navia is the administrator of the FSA and Dependent Care Assistance Program (DCAP) for state programs. 

The notice says the Navia records that were impacted date back to 2018 and affect about 35,000 union workers in the state, some of whom worked for local school districts. Washington officials noted that the information of children was included in the breach because many are on their parents’ healthcare plan. 

Navia is now facing multiple class action lawsuits in response to the breach.

Cybercriminals have repeatedly targeted employee benefits plan administrators over the years as a way to steal sensitive healthcare information. TriZetto, a company that creates software to manage health insurance claims and payments, reported a data breach last month that exposed the information of three million people. 

Other health insurance administration companies like Landmark, Carruth Compliance Consulting and others have reported massive data breaches caused by cybercriminals or ransomware gangs.