Kelly Benefits Data Breach Update: More Than 553,000 Individuals Affected
Kelly Benefits has confirmed that a further 140,628 individuals have been affected by its December 2024 cyberattack than previously reported. Hackers gained access to the Kelly Benefits network between December 12, 2024, and December 17, 2024, and exfiltrated files containing sensitive data, including names, dates of birth, Social Security numbers, health insurance information, financial account information, and medical information. Notification letters have been issued on a rolling basis to the affected individuals, and the breach had previously been reported to the Maine Attorney General as affecting 413,032 individuals.
The incident response and investigation were complex as so many of its clients were affected. Kelly Benefits said it reviewed its internal records to match the affected individuals to the appropriate client or carrier, and completed that process on March 3, 2025. According to the Kelly Benefits website, 45 of its clients were affected by the data breach. The Maine Attorney General has been informed that 553,660 individuals had their protected health information compromised. The types of data involved vary from individual to individual, and complimentary credit monitoring and identity theft protection services have been made available.
The table below has been updated to include all of the affected clients and carriers.
May 7, 2025: Kelly Benefits Data Breach Victim Count Rises to More Than 413,000
Kelly & Associates Insurance Group, a Sparks, Maryland-based employee benefits administrator that does business as Kelly Benefits, has released revised figures on the number of individuals affected by a December 2024 cyberattack. Kelly Benefits initially reported the data breach on April 9, 2025, as an incident involving unauthorized access to the data of 32,234 individuals. A couple of weeks later, on April 21, 2025, the number of affected individuals was increased to 263,893. The total has been revised again, with 413,032 individuals now known to have been affected, with a dozen more clients named. The breach notice suggests that the total may increase again. Companies confirmed as affected by the Kelly Benefits data breach are listed below.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
| Companies Affected by Kelly Benefits Data Breach | |
| Aetna Life Insurance Company | Prepcon, LLC |
| Amergis | Publishers Circulation Fulfilment, Inc. |
| Beam Benefits | Quantum Real Estate Management, LLC |
| Beltway Companies, LLC | Reliance Standard Life Insurance Company |
| CareFirst BlueCross BlueShield (“CareFirst”) | RENAISSANCE LIFE & HEALTH INSURANCE COMPANY OF AMERICA |
| Carroll Independent Fuel, LLC/High’s of Baltimore, LLC | RENAISSANCE LIFE & HEALTH INSURANCE COMPANY OF NEW YORK |
| Concrete Protection and Restoration, LLC (FL) | St. Mary’s Cement US LLC |
| Concrete Protection and Restoration, LLC (MD) | Superior Materials LLC |
| Dearborn Group | Supreme Services |
| Fidelity Building Services Group | Tessco Technologies, INC |
| First Reliance Standard Life Insurance Company | The Bozzuto Group |
| FutureCare Health & Management Corporation | The Guardian Life Insurance Company of America |
| Georgia Baptist Mission Board | The Vane Brothers Company |
| Humana Insurance ACE | ThompsonGas, LLC |
| Intercon Truck of Baltimore, Inc. | Transforming Lives Inc. |
| Interstate Construction and Development Company, LLC | United Healthcare |
| Liquidity Services Inc. | United of Omaha Life Insurance Company |
| Merritt Group, Inc. | VCNA Prairie LLC |
| Mission BBQ Management, LLC | VCNA United Materials LLC |
| Mutual of Omaha Insurance Company | Virtua Health |
| Northeast Foods | Vision Benefits of America |
| OneAmerica Financial Partners, Inc. | Wawa, Inc |
Some HIPAA-covered entities have chosen to report the data breach themselves and have not been included in the 413,000 total. For instance, Lincoln National Corporation, which does business as Lincoln Financial, has reported the incident to the HHS’ Office for Civil Rights as affecting 1,123 individuals.
In the breach notification letters, Kelly Benefits explained that suspicious activity was identified within its network environment on December 17, 2024. Third-party digital forensics specialists were engaged to investigate the activity, confirming unauthorized access to its network between December 12, 2024, and December 17, 2024. During that time, files on its network were copied by the attacker. The file review was completed on March 3, 2025, and notification letters were mailed to the affected individuals on May 2, 2025.
The types of information compromised in the incident vary from individual to individual and may include names, dates of birth, Social Security numbers, health insurance information, financial account information, and medical information. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.
As the victim count grows, so does the number of lawsuits against Kelly Benefits over the data breach. More than a dozen class action lawsuits have already been filed, and that total is expected to continue to grow.
