Navia Benefit Solutions Discloses Data Breach Affecting 2.7 Million Individuals
Over a three-week period between December 2025 and January 2026, hackers had access to the network of a Washington-based employee benefits administrator and potentially acquired the data of almost 2.7 million* current and former participants and their dependents.
Renton, WA-based Navia Benefit Solutions, Inc., provides employee benefits administration services, including Health Care Flexible Spending Accounts and COBRA benefits. The company works with employers to manage tax-advantaged healthcare and dependent care accounts, and as such, maintains large amounts of employee data. The company has more than 10,000 clients nationwide and more than 1 million participants. The intrusion was identified on or around January 15, 2026, and the forensic investigation confirmed that its computer environment was subject to unauthorized access from December 22, 2025, to January 15, 2026. According to the breach notice provided to the Maine Attorney General, 2,697,540 individuals have been affected.
Navia Benefit Solutions uploaded a substitute breach notice to its website on March 13, 2026, and individual notification letters started to be mailed to the affected individuals on March 18, 2026. Data potentially compromised in the incident included names, email addresses, phone numbers, and Social Security numbers. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.
Navia Benefit Solutions said it moved quickly to respond to the incident and secure its systems, and an investigation was launched to determine the nature and scope of the incident. Federal law enforcement was notified, and the company has been working to implement additional security measures and provide its employees with additional training to prevent similar incidents in the future. Navia Benefit Solutions did not disclose whether this was a ransomware attack or if it received a ransom demand. No ransomware group has claimed responsibility for the incident.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The data breach is a reportable incident under HIPAA. The Department of Health and Human Services has been notified, and a media notice has also been issued, in compliance with the HIPAA Breach Notification Rule. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal. While it is unclear how many clients have been affected, the Washington State Health Care Authority is one of the affected clients. Navia Benefit Solutions contracted with the Washington State Health Care Authority as the administrator of its Flexible Spending Arrangement (FSA) and Dependent Care Assistance Program (DCAP) for the PEBB and SEBB Programs.
Washington State Health Care Authority, which manages Medicaid in the state, has published its own substitute breach notice. The notice confirms that records going back seven years were compromised in the incident, which relate to approximately 27,000 current and former PEBB members, 5,600 current and former SEBB members, and 3,000 current and former Compacts of Free Association (COFA) islander members. In addition, 37 school districts that contracted with Navia before the SEBB Program was implemented in January 2020 have also been notified that some of their data was potentially compromised in the incident. The impacted data includes first and last names, Navia ID numbers, addresses, phone numbers, email addresses, enrollment start and end dates, employee IDs, Social Security numbers, and dates of birth.
* The HHS’ Office for Civil Rights was informed that the protected health information of 2,151,330 individuals was compromised in the incident.
