Navia Benefit Solutions, a behind-the-scenes benefits administrator that handles accounts for more than 10,000 US employers, has confirmed that hackers roamed inside its systems for nearly a month before anyone noticed.
The company discovered suspicious activity on Jan. 23, 2026. But when investigators dug deeper, they found that an unauthorized actor had been accessing and grabbing information since December 22, 2025, meaning the breach went undetected for over three weeks. The access continued until January 15, 2026.
According to a March 18 filing with the Maine Attorney General’s Office, nearly 2.7 million individuals are affected. The company officially puts the number at 2,697,540 people.
Navia is a consumer-focused benefits administrator headquartered in Renton, Washington. Many people impacted by this breach have likely never heard of the company, even though it manages their workplace benefits.
What data was stolen
The investigation determined that hackers exfiltrated a mix of personal identifiers and health account details. According to the company’s official notice to affected individuals, the exposed information includes:
- Full names
- Social Security numbers
- Dates of birth
- Phone numbers
- Email addresses
On the health benefits side, the breach exposed information on participation in Health Reimbursement Arrangements (HRAs), Flexible Spending Accounts (FSAs), and COBRA enrollment. Navia emphasized in its notification that “no claims or financial data were disclosed” during the incident. Some of the records involved date back to 2018, according to reports.
Company response
After discovering the intrusion, Navia launched an investigation and began reviewing the security of its systems. The company also notified federal law enforcement about the breach.
In its notification letter, Navia said: “The confidentiality, privacy, and security of personal information is among Navia’s highest priorities, and we have security measures in place to protect information in our care.” Navia also stated it is reviewing its policies and procedures “related to the storage and access of personal information to reduce the likelihood of a similar future event.”
What should affected individuals do?
Navia began mailing notification letters to impacted individuals on March 18. Those letters include an enrollment code for the free 12-month identity protection and credit monitoring services through Kroll. Recipients can activate their account online at enroll.krollmonitoring.com/redeem using the code provided in the letter.
Security experts recommend that anyone affected take several additional steps:
- Place a fraud alert on your credit files with the three major credit bureaus, Equifax, Experian, and TransUnion. A fraud alert requires businesses to verify your identity before issuing new credit in your name.
- Consider a security freeze, which blocks anyone from accessing your credit report entirely unless you lift it. This is a stronger measure that can prevent criminals from opening new accounts using stolen information.
- Monitor financial statements and credit reports regularly for suspicious activity. Individuals can obtain free credit reports at AnnualCreditReport.com.
- Stay vigilant about phishing attempts. With Social Security numbers and contact information now in attackers’ hands, targeted scams may follow.
As of now, no ransomware group has publicly claimed responsibility for the attack. The full scope of how the attackers accessed Navia’s systems and whether the stolen data is being actively used remains unclear. Investigations are still ongoing.
Also read: AI rollouts, major security breaches, and broader industry shakeups are unfolding simultaneously, reshaping the broader tech landscape.
