- Public Disclosure: December 31, 2025 — The company and its affiliated insurers issued a formal notice about the incident.
- Discovery: The company first discovered suspicious activity on April 15, 2025.
- Unauthorized Access Window: Between April 7 and April 15, 2025, an unknown threat actor gained unauthorized access to certain systems.
- Review Completion: A thorough internal and forensic review of impacted systems and files was completed on December 17, 2025 — nearly eight months after the intrusion.
What Was Exposed
The breach affected files and systems that contained sensitive personal and health-related information, including:
- Names of affected individuals
- Social Security Numbers (SSNs)
- Individual Taxpayer Identification Numbers (ITINs)
- Dates of birth
- Financial account information
- Medical or health insurance information
Because the breach exposed both personally identifiable information (PII) and protected health information (PHI), the risk to affected individuals is significantly heightened — particularly for identity theft, financial fraud, and medical identity misuse.
Who Might Be Affected
The incident potentially impacts:
- Current and former policyholders
- Certificate holders
- Beneficiaries
- Others whose information was stored in the compromised systems or files
The company has been notifying individuals directly via mailed notices where contact information was available, but individuals who haven’t received notice may still have been affected due to missing or outdated contact details.
Company Response & Remediation
To address the breach and help protect affected individuals:
Security Actions Taken
- The company secured and monitored its systems to prevent further unauthorized access.
- It engaged with cybersecurity professionals to investigate the breach and its scope
Assistance for Affected Individuals
- Complimentary Identity Protection: One year of free credit monitoring and identity restoration services is being provided through a third-party provider (often IDX).
- Individuals who believe they were affected but did not receive a notice can call a dedicated support line for assistance.
Risks to Individuals
Exposure of this combination of sensitive data can lead to:
- Identity Theft: Fraudsters can use SSNs and birthdates to open new accounts or file fraudulent tax returns.
- Financial Fraud: Bank or investment accounts could be targeted.
- Medical Identity Theft: Misuse of medical records for fraudulent claims or prescriptions.
Given the sensitivity of medical information, loss of such data can also create privacy risks beyond typical financial or credit threats.
Legal and Regulatory Implications
- The breach notice complies with state and federal requirements, including filings with state attorneys general and possibly HIPAA breach reporting standards (protected health data reporting to HHS).
- Law firms are investigating potential class action claims and individuals may be eligible to seek compensation if they can show harm or costs resulting from the breach.
What You Can Do Now
Whether or not you received a direct notice:
1. Monitor Your Credit
- Request free annual credit reports from the three major bureaus (Equifax, Experian, TransUnion).
- Look for unfamiliar accounts or inquiries.
2. Credit Protection Tools
- Place a fraud alert or credit freeze on your file — both are free and can help block unauthorized credit activity.
3. Watch Financial & Medical Statements
- Review bank, retirement, and medical bills for any suspicious charges or unfamiliar services.
4. Use the Provided Protection Services
- Enroll in the offered credit monitoring and identity restoration services — even if you’re unsure you were affected.
5. Report Suspicious Activity
- File reports with the FTC and local law enforcement if identity theft or fraud occurs.
