Navia Benefit Solutions Breach Exposes Data on 2.7 Million Benefits Enrollees
Navia Benefit Solutions, a Washington-based third-party workplace benefits administrator serving more than 10,000 U.S. employers, disclosed a cyberattack that gave unauthorized actors read-only access to its network between December 22, 2025, and January 15, 2026. The company said the breach may have affected 2,697,540 individuals and exposed a broad set of personal and benefits data, including names, dates of birth, Social Security numbers, phone numbers, email addresses, and enrollment information tied to FSA, HRA, and COBRA accounts, with some records reportedly dating back to 2018.
Navia detected suspicious activity on January 23 and said it notified federal law enforcement and regulators, including the U.S. Department of Health and Human Services, in a breach reportable under HIPAA. Notification letters began going out on March 18 after a substitute notice was posted on March 13, and the company is offering 12 months of credit monitoring and identity theft protection through Kroll. One confirmed affected client, the Washington State Health Care Authority, said the incident involved records spanning seven years for tens of thousands of PEBB, SEBB, and COFA members, as well as data linked to 37 school districts; Navia has not said ransomware was involved and no ransomware group has claimed the attack.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Report links Navia breach to BOLA flaw in API endpoint
A March 24, 2026 report said the Navia breach was caused by a Broken Object Level Authorization vulnerability in an API endpoint, which allegedly enabled an unknown actor to obtain read-only access to sensitive data. This introduced new technical detail about the mechanism behind the broader 2.7 million-person incident.
HackerOne says Navia breach affected nearly 300 employees
HackerOne disclosed that a breach at benefits administrator Navia Benefit Solutions exposed sensitive employee and benefits data belonging to nearly 300 of its workers. The company said the incident originated in Navia's environment rather than HackerOne's own systems and criticized the delayed notification.
Washington State Health Care Authority confirms impact
The Washington State Health Care Authority said the breach affected records spanning seven years for tens of thousands of PEBB, SEBB, and COFA members, as well as data tied to 37 school districts. This identified a confirmed downstream client affected by the Navia incident.
Navia discloses 2.7 million-person breach and notifies authorities
Navia publicly disclosed that a cyberattack may have exposed personal and benefits data of nearly 2.7 million individuals, including names, dates of birth, Social Security numbers, contact details, and FSA, HRA, and COBRA information. The company also notified federal law enforcement and regulators, including the U.S. Department of Health and Human Services.
Navia begins mailing breach notification letters
On March 18, 2026, Navia began sending notification letters to affected individuals about the breach. The company said 2,697,540 people may have been impacted and offered 12 months of credit monitoring and identity theft protection.
Navia posts substitute breach notice
Navia posted a substitute notice about the data breach as part of its public notification process. This occurred before individual letters were mailed to affected people.
Navia detects suspicious activity
Navia said it detected suspicious activity in its environment on January 23, 2026, prompting an investigation into the incident. The company later linked the activity to unauthorized access affecting benefits and personal data.
Attackers access Navia systems
Navia Benefit Solutions later determined that unauthorized actors had read-only access to its network and systems during this period. The exposure window ran from December 22, 2025 through January 15, 2026.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
13 references tracked. Mallory keeps watching after this page renders.
Infinite Campus reports hack after ShinyHunters extortion attempt | brief | SC Media
scworld.com
Open sourceUS jails Russian ransomware access broker | brief | SC Media
scworld.com
Open sourceIntel chiefs push clean 702 extension as deadline looms | brief | SC Media
scworld.com
Open sourceRecent Navia data breach impacts HackerOne employee data
securityaffairs.com
Open sourceNavia Benefit Solutions Discloses Data Breach Affecting 2.7 Million Individuals
hipaajournal.com
Open source2.7 million hit in workplace benefits data breach exposing SSNs, dates of birth and health account data - IT Security Guru
itsecurityguru.org
Open sourceOffice of the Maine AG: Consumer Protection: Privacy, Identity Theft and Data Security Breaches
maine.gov
Open sourceOffice of the Maine AG: Consumer Protection: Privacy, Identity Theft and Data Security Breaches
maine.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Navia Benefits Breach Exposes Health Plan Data of 2.6 Million People
Navia Benefits Solutions, a third-party administrator for health and benefits plans, disclosed a data breach affecting more than 2.6 million people, with some reports putting the total at about 2.7 million. The incident exposed sensitive personal and benefits-related information tied to health plan administration, making it one of the larger recent breaches involving employee benefits data. Reporting indicates the stolen information included personally identifiable data and health plan details held by Navia on behalf of clients. Because Navia serves as an intermediary for employers and benefit programs, the breach has broad downstream impact for organizations whose workers and dependents entrusted the company with benefits enrollment and related records.
Jun 28, 2026
Delayed patient notifications following healthcare data breaches at providers and vendors
Multiple healthcare organizations and vendors reported **delayed patient notifications** after discovering unauthorized access to protected health information (PHI), in some cases more than a year after the underlying compromise. In Colorado, **Alpine Ear, Nose, and Throat (Alpine ENT)** notified **65,648** individuals that an attacker accessed and exfiltrated files containing PHI in an incident identified on **Nov. 19, 2024**; the **BianLian** ransomware group later claimed responsibility and posted the organization to its leak site. Exposed data was described as highly sensitive, including medical information and, for some individuals, **financial account data and payment card details** (including CVC/expiration) and **Social Security numbers**; Alpine ENT reported no confirmed identity theft at the time of notification and offered credit monitoring. Separately, **Bayada Home Health Care** disclosed exposure risk tied to a **third-party vendor (Doctor Alliance)** after Doctor Alliance reported unauthorized network access during **Oct.–Nov. 2025**, potentially affecting Home Health Certification and Plan of Care forms containing patient identifiers and clinical/insurance details (and **SSNs for a subset**). Bayada said it discontinued using Doctor Alliance and reported the matter to regulators. In another vendor-related incident, **TriZetto Provider Solutions (Cognizant)**—an insurance verification provider—suffered a cyberattack impacting PHI across multiple states; Oregon providers began notifying additional patients after the breach was reported as occurring in **Nov. 2024** but not discovered until **Oct. 2, 2025**, with no financial data reportedly compromised and no evidence of misuse so far; the incident has prompted **class-action lawsuits**, engagement of **Mandiant**, and law enforcement notification.
Mar 21, 2026
Third-Party Healthcare and Benefits Service Provider Breaches Expand to Millions of Victims
Health insurance technology provider **TriZetto Provider Solutions** (a Cognizant subsidiary) updated breach notifications indicating the impact of its **November 2024** intrusion has grown to **more than 3.4 million** affected individuals. Disclosures to state regulators and downstream notifications from county governments and healthcare providers indicate theft of sensitive personal data including **addresses, Social Security numbers, and health insurance identifiers**, with some jurisdictions reporting hundreds of thousands of impacted residents. Separately, the **Conduent** incident has expanded dramatically in public filings, with reported totals rising from roughly **10.5 million** to **more than 25 million** affected individuals across the US, including a major increase in **Texas** (reported at **15.4 million**) while **Oregon** remains around **10.5 million**. Reporting indicates attackers maintained access for roughly **three months** and exfiltrated about **8 TB** of data, underscoring the systemic risk posed by large, behind-the-scenes vendors that support **Medicaid/SNAP and other state benefit programs**, healthcare-related processing, and major employer services—creating a wide “blast radius” even for individuals unfamiliar with the vendor name.
Mar 21, 2026