A healthcare benefits administrator serving more than 10,000 American employers has disclosed a major security breach that compromised the Social Security numbers and personal data of nearly 2.7 million citizens, raising fresh concerns about the vulnerability of private medical information.
What Happened at Navia Benefit Solutions
Navia Benefit Solutions, which manages Flexible Spending Accounts, Health Savings Accounts, and other employee benefits programs, detected suspicious activity on its computer systems on January 23. The company’s investigation revealed that hackers had infiltrated their networks and maintained access for nearly a month, from December 22, 2025, through January 15, 2026. During this window, cybercriminals extracted a substantial volume of personally identifiable information from Navia’s databases, according to a March 18 filing with the Maine Attorney General’s office.
The stolen data includes Social Security numbers and health plan information such as Health Reimbursement Arrangement participation, COBRA enrollment details, and Flexible Spending Account records. Navia stated that no claims or financial data were accessed during the breach. However, security experts warn that the compromised information provides criminals with everything needed to commit identity theft and launch sophisticated social engineering attacks against victims.
Steps for Affected Americans
Navia began sending notification letters to affected individuals on March 18. Those whose data was compromised qualify for one year of identity monitoring services through Kroll, a leading risk management firm. Each letter contains a unique activation code and enrollment instructions, which must be completed by a specified deadline at enroll.krollmonitoring.com/redeem. Recipients should act promptly to secure these protective services at no cost.
Protecting Your Identity
Security professionals recommend that all affected individuals take immediate defensive measures. Freezing your credit with all three major bureaus prevents criminals from opening new accounts in your name and should remain your default setting unless actively applying for credit. Setting up a one-year fraud alert adds an additional verification layer when credit applications are submitted. Americans should regularly monitor their credit reports and bank statements for unauthorized activity, reporting any suspicious transactions immediately to their financial institutions. The Federal Trade Commission accepts identity theft reports online, and victims should also file reports with local police departments to create an official record of the crime.