The number of people affected by a data breach at Kelly Benefits has grown more than tenfold over the past month. On May 2, 2025, the company disclosed that 413,032 individuals had been affected by a hacking incident that occurred in December 2024. This is the third report from the company since April 9, 2025.

On April 9, 2025, the company first reported that 32,234 individuals had been affected, and on April 21, they filed a supplemental report increasing the number to 263,893.

Headquartered in Baltimore, Maryland, Kelly & Associates Insurance Group, Inc., also known as Kelly Benefits, is one of the nation’s largest providers of benefits administration, brokerage, and consulting services, as well as payroll solutions and other tools.

At least twenty-five corporate customers are affected, including insurance companies and health plans like United Healthcare, OptiMed Health, Vision Benefits of America, Aetna Life Insurance Company, and CareFirst BlueCross BlueShield, among others.

Kelly Benefits’ website notice of the breach explained that the company:

“learned of suspicious activity within our environment and immediately launched an investigation, with the assistance of third-party forensic specialists, to determine the nature and scope of the activity.”

The investigation found that hackers accessed Kelly Benefits’ IT environment between December 12 and December 17, 2024, and copied and removed certain files.

While the information exposed varies for each potentially affected individual, it may include an individual’s name and one or more of the following: Social Security number, tax ID number, date of birth, medical information, health insurance information, and financial account information.

Business Associates are Cybercrime Targets

Kelly Benefits is a unique HIPAA business associate because it provides third-party administration services to covered entities, including health plans and healthcare providers.

HIPAA business associates, such as Kelly Benefits, contain large amounts of protected health information (PHI) since they serve multiple separate covered entities.

Third-party administrator (TPA) business associates are vital administrative hubs for the U.S. healthcare system. They connect employer-sponsored health plans with employees and health insurance companies. TPAs transmit, receive, create, and maintain PHI continuously to perform services for health plans of all sizes and for countless individuals who are members or customers of United Healthcare, OptiMed, Aetna, etc.

The U.S. Department of Health and Human Services (HHS) included TPAs in its count of covered entities affected by the Omnibus Rule, even though they are business associates because “their representation” of ERISA health plans makes them an appropriate “surrogate” for the plans.

A cybersecurity lapse that allows hackers to access a HIPAA-regulated entity’s information systems can result in the disclosure of protected health information (PHI), potentially affecting numerous individuals.

TPAs are particularly at risk because they communicate with so many parties, any one of which could unknowingly open the door for a hacker simply because one person opened a phishing email.

A breach in the network of HIPAA covered entities, business associates and individuals sharing PHI can be enormous, and the sophistication of their technology is uneven, making it difficult to quickly determine who was affected by a breach.

Verizon Data Breach Investigations Report Finds Third-Party Data Breach Risk

The most recent Verizon DBIR reports that 30% of breaches across all sectors were linked to third-party involvement, a figure twice as high as last year.

To mitigate third-party risks, a business associate, such as Kelly Benefits, and every HIPAA-regulated entity must do two things.

• Analyze and manage its organization’s privacy and security risks, and
• Conduct due diligence on other entities with which it shares PHI.

The second is as important as the first. Weakly protected entities are low-hanging fruit for hackers.

Class Action Lawsuits Are on the Horizon

Multiple law firms are advertising for potential victims of the Kelly Benefits breach to join a class action for breach of privacy. Information Media Security Group is reporting that 13 proposed federal class action lawsuits have been filed against the company.

Lower Risks With HIPAA Compliance

An annual risk analysis, workforce training, and a vigilant risk management program year-round will lower the risks of criminal hacks and theft. If the worst happens and a hacker manages to breach your system, strong cybersecurity defenses can reduce the damage by limiting access and providing early detection.

Care, vigilance, and preventive efforts through compliance will also help defend against claims of negligence in breach of privacy lawsuits. Review your compliance today to ensure you’re doing everything possible to protect the private data entrusted to you.