A Maryland-based outsourced benefits and payroll manager is notifying nine large customers and nearly 264,000 individuals that their private and sensitive data may have been compromised in a December hack. The number of impacted people has increased by eight-fold since Kelly & Associates Insurance Group, also known as Kelly Benefits, published an estimate of the hack's scope earlier this month.
The company's current total of 263,893 affected persons is far higher than the 32,234 initially reported on April 9 to state regulators and the US Department of Health and Human Services as a HIPAA breach.
The benefits company announced that it is sending breach notices to impacted individuals on behalf of nine clients: Amergis, Beam Benefits, Beltway Companies, CareFirst BlueCross BlueShield, Guardian Life Insurance Co., Intercon Truck of Baltimore, Publishers Circulation Fulfilment, Quantum Real Estate Management, and Transforming Lives.
Kelly Benefits declined to comment, citing "the sensitive nature of the incident and subsequent investigation.”
An investigation following the incident revealed that unauthorised access to the company's IT infrastructure occurred between December 12 and December 17, 2024. The company claimed that throughout that period, the attackers copied and stole specific files.
"Kelly Benefits then began a time-intensive and detailed review of all files affected by this event to determine what information was present in the impacted files and to whom it related," the company noted. It analysed internal records to match the individual with the relevant client or carrier.
Individuals' information compromised in the event varies, but it could include their name, Social Security number, date of birth, medical information, health insurance information, or financial account information.
Kelly Benefits informed the FBI about the incident. This company stated that it is still reviewing its security policies, procedures, and technologies. At the time of writing, at least one proposed federal class action lawsuit against Kelly Benefits was filed in connection with the hacking incident. The lawsuit claims Kelly Benefits was negligent in failing to safeguard sensitive personally identifying information from unauthorised access.
"Even with several months of credit monitoring services, the risk of identity theft and unauthorized use of plaintiff's and class members' PII is still substantially high. Cybercriminals need not harvest a person's Social Security number or financial account information in order to commit identity fraud or misuse plaintiffs and the class's PII," the lawsuit notes. "Cybercriminals can cross-reference the data stolen from the data breach and combine with other sources to create 'Fullz' packages, which can then be used to commit fraudulent account activity on plaintiff and the class's financial accounts."
