Over 413,000 Individuals Affected by Kelly Benefits Data Breach

by

Employee benefits administrator, Kelly & Associates Insurance Group, based in Sparks, Maryland, dba Kelly Benefits, has published edited figures on the number of people impacted by a cyberattack on December 2024. On April 9, 2025, Kelly Benefits at first reported the data breach as an event related to unauthorized access to the information of 32,234 people. A few weeks afterwards, on April 21, 2025, the number of impacted people went up to 263,893. The total was modified again as 413,032 affected persons were found, with 12 more clients identified. The breach notice indicates that the total might go up again. Listed below are the confirmed companies affected by the Kelly Benefits data breach.

Companies Impacted by Kelly Benefits Data Breach

  1. Aetna Life Insurance Company
  2. Amergis
  3. Allergis
  4. Beltway Companies, LLC
  5. Beam Benefits
  6. CareFirst BlueCross BlueShield
  7. Fidelity Building Services Group
  8. Intercon Truck of Baltimore, Inc.
  9. Humana Insurance ACE
  10. Maxim Healthcare Services, Inc.
  11. Nutramax Laboratories Inc.
  12. Quantum Real Estate Management, LLC
  13. Publishers Circulation Fulfilment, Inc.
  14. Populus
  15. Renaissance Life & Health Insurance Company of America
  16. Reliance Standard Life Insurance Company
  17. Skyline Technology Solutions LLC
  18. Single Affiliated Covered Entity
  19. Sun Life Assurance Company of Canada
  20. The Guardian Life Insurance Company of America
  21. Transforming Lives Inc.
  22. United Healthcare Services, Inc.
  23. United Concordia Companies
  24. University of Maryland Medical System
  25. Virtua Health
  26. Virtual Service Operations
  27. Young Life

Several HIPAA-covered entities reported the data breach themselves and were not included in the 413,000 reported by Kelly Benefits. For example, Lincoln National Corporation, also known as Lincoln Financial, submitted a breach report to the HHS’ Office for Civil Rights indicating that 1,123 individuals were affected.

Kelly Benefits explained in its breach notification letters that it discovered suspicious activity within its network on December 17, 2024. Third-party digital forensics experts investigated the activity and confirmed unauthorized network access from December 12, 2024 to December 17, 2024. At that time, the attacker copied files from its system. The forensics experts completed the file analysis on March 3, 2025, and Kelly Benefits mailed the notification letters to the impacted persons on May 2, 2025.

The incident exposed different types of data for the individuals affected. This data might include names, birth dates, Social Security numbers, medical insurance data, financial account details, and health data. The impacted persons were provided free credit monitoring and identity theft protection services for one year.

With the increase in the victim count comes the rise in the number of lawsuits filed against Kelly Benefits associated with the data breach. More than twelve class action lawsuits were filed, and more are expected. As a HIPAA business associate, Kelly Benefits must ensure HIPAA compliance, and this aspect may be investigated as well, with the rise of lawsuits filed against it.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]