A notable increase in the number of individuals affected by a recent data breach at a Maryland-based outsourced benefits and payroll management firm has been reported. Kelly & Associates Insurance Group, operating under the name Kelly Benefits, has now confirmed that nearly 264,000 individuals and nine large clients have had their sensitive personal information potentially compromised as a result of the breach that occurred in December.
The initial estimate of the breach’s impact, reported by Kelly Benefits earlier this month, indicated that approximately 32,234 individuals were affected. However, the latest figures provided by the company show a significant rise in the number of victims, reaching 263,893 affected individuals. The breach has been reported to state regulators and the U.S. Department of Health and Human Services as a HIPAA violation.
According to Kelly Benefits, breach notifications are being sent out on behalf of the nine clients impacted by the incident, including Amergis, Beam Benefits, Beltway Companies, CareFirst BlueCross BlueShield, Guardian Life Insurance Co., Intercon Truck of Baltimore, Publishers Circulation Fulfilment, Quantum Real Estate Management, and Transforming Lives. The company has refrained from commenting on the breach due to the sensitivity of the situation and the ongoing investigation.
An investigation into the breach revealed that unauthorized access to the company’s IT environment occurred between December 12 and December 17, 2024. During this period, certain files were accessed and copied by the attackers. In response, Kelly Benefits initiated a thorough review of the affected files to identify the information present and the individuals to whom it pertained, cross-referencing internal records to match the individuals with the appropriate client or carrier.
The compromised information may include names, Social Security numbers, dates of birth, medical information, health insurance details, and financial account information, varying among the affected individuals. The company has informed the FBI about the breach and is actively enhancing its security protocols, procedures, and tools to prevent future incidents.
In light of the breach, at least one proposed federal class action lawsuit has been filed against Kelly Benefits, alleging negligence in safeguarding sensitive personally identifiable information from unauthorized access. The lawsuit emphasizes the continued risk of identity theft and fraudulent use of individuals’ personal information, even with the provision of credit monitoring services post-breach.
As stated in the lawsuit, cybercriminals have the ability to combine stolen data from breaches with other sources to facilitate identity fraud and unauthorized account activities. The lawsuit underscores the importance of robust data protection measures and the potential consequences of failing to adequately secure sensitive information.
Overall, the increasing number of individuals affected by the Kelly Benefits data breach highlights the critical need for organizations to prioritize data security and implement stringent measures to safeguard sensitive information from cyber threats and unauthorized access. The incident serves as a reminder of the ongoing challenges posed by cybercrime and the imperative for organizations to remain vigilant and proactive in addressing potential security vulnerabilities in today’s digital landscape.