Navia Benefit Solutions, Inc. disclosed a data breach involving unauthorized access to its network between December 22, 2025, and January 15, 2026, affecting 2,697,540 individuals and requiring notification under the HIPAA Breach Notification Rule.
Incident Details
Navia Benefit Solutions, Inc. in Renton, Washington identified unauthorized activity within its systems on or around January 15, 2026. According to forensic analysis, an external party accessed the company’s network from December 22, 2025 up to January 15, 2026.
The organization provides administration services for employee benefits, such as COBRA and Health Care Flexible Spending Accounts. In performing these services, it accesses data for employers across the United States. The breach impacted current and former participants as well as their dependents. A notification submitted to the Maine Attorney General reported a total of 2,697,540 affected individuals.
Data Involved
Information potentially compromised during the incident included names, telephone numbers, email addresses, Social Security numbers, Navia ID numbers, physical addresses, enrollment start and end dates, employee ID numbers, and birth dates.
Breach Response
Navia Benefit Solutions initiated an internal investigation to define the scope and nature of the unauthorized access and implemented measures to secure its systems. Federal law enforcement received notification of the incident. The company is also implementing additional security controls and conducting additional workforce HIPAA training.
There is no mention about the involvement of ransomware or ransom demand to the incident. No group has publicly claimed responsibility.
Navia Benefit Solutions posted a substitute breach notice on its website on March 13, 2026. Sending of written notifications to affected individuals began on March 18, 2026. The organization also notified the Department of Health and Human Services and issued a media notice in alignment with the HIPAA Breach Notification Rule. At the time of reporting, the incident is not yet posted on the Department of Health and Human Services Office for Civil Rights breach portal.
Impacted Organizations
The Washington State Health Care Authority is affected by the breach. Navia Benefit Solutions serves as the administrator for Flexible Spending Arrangement and Dependent Care Assistance Program services tied to the Public Employees Benefits Board and School Employees Benefits Board programs.
Washington State Health Care Authority issued a notice that about 27,000 old and new Public Employees Benefits Board members, 5,600 current and former School Employees Benefits Board members, and 3,000 current and former Compacts of Free Association islander members were affected. Data linked to 37 school districts that had prior contracts with Navia before January 2020 was also potentially involved.
Regulatory Status
The incident meets the criteria for reporting under the HIPAA Breach Notification Rule based on the number of individuals affected and the categories of data involved. Notifications to individuals, regulators, and the media have been initiated.