Business Associate Data Breach Affects 55K Bosch Choice Welfare Benefit Plan Members
A business associate data breach has affected 55,000 members of the Bosch Choice Welfare Benefit Plan, and a data breach has been reported by Leidos QTC Health First Rehabilitation Resources.
Bosch Choice Welfare Benefit Plan
On October 31, 2025, Bosch Choice Welfare Benefit Plan reported a data breach to the HHS’ Office for Civil Rights (OCR) that affected 55,000 of its members. Bosch Choice Welfare Benefit Plan is a flexible benefits program for Bosch employees in the United States that includes health, dental, vision, life, and disability insurance.
While limited details have been made public about the data breach, OCR closed the investigation quickly and has shared information on the incident via its data breach portal. A vendor of one of the health plan’s business associates experienced a cybersecurity incident that involved unauthorized access to systems containing names, Social Security numbers, dates of birth, claims, health insurance information, and diagnoses/conditions.
Neither Bosch nor the HHS mentioned the name of the business associate, but the HHS report on the breach indicates the incident also affected other covered entities. The business associate has notified the affected covered entities and is issuing notifications to the affected individuals, and has implemented additional technical safeguards to better protect protected health information in its possession. While the breach occurred at the business associate, Bosch Choice Welfare Benefit Plan chose to report the breach itself to OCR.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Leidos QTC Health First Rehabilitation Resources (First Health Resources)
Leidos QTC Health First Rehabilitation Resources, doing business as First Rehabilitation Resources (FRR), has identified a breach of its email system. FRR, a provider of independent medical examinations and health care services, identified suspicious activity within its email system in August 2025. Immediate action was taken to prevent further unauthorized access, including shutting down the email system and associated IT services.
Assisted by third-party cybersecurity experts, FRR confirmed that its email system had been secured and the threat had been neutralized; however, patient data had been exposed. The data potentially compromised in the incident included names, driver’s license numbers/government ID numbers, Social Security numbers, medical information, and health insurance information. No evidence of data misuse has been identified.
FRR confirmed that additional security measures have been implemented to prevent similar incidents in the future, including upgrading the Leidos core email platform and hosting it in a highly secure environment with government-grade security, and issuing all FRR employees with new, secure, Leidos-managed laptop computers and mobile phones. The data breach has been reported to regulators, but it is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.
