Managed Care Advisors / Sedgwick Notify Patients of Ransomware Attack
Managed Care Advisors and Sedgwick Government Solutions recently announced a cybersecurity incident involving unauthorized access to a corporate Secure File Transfer Protocol (SFTP) server that contained personal and protected health information. Files on the server were encrypted with ransomware.
Sedgwick Government Solutions, which acquired Managed Care Advisors in 2021, is a Bethesda, MD-based federal government contractor that provides workers’ compensation and managed care solutions. Sedgwick is also the manager of the Nationwide Provider Network for the World Trade Center Health Program.
Data breach notices often fail to disclose the exact nature of hacking incidents, which makes it difficult for victims to accurately gauge the level of risk they face. Sedgwick bucked that trend, opting for transparency over the data breach. Sedgwick explained that the incident was detected on December 4, 2025, and it immediately implemented its incident response processes. All connections to the SFTP server were disabled to prevent further unauthorized access, and the encrypted data was restored from a secure system backup the following day.
A leading cybersecurity firm, Mandiant, was engaged to assist with the investigation and forensic analysis. The investigation confirmed that an unauthorized third party first accessed the server on November 16, 2025, by exploiting a vulnerability in the SFTP application. Access was only gained to a single server. No other systems were compromised.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The investigation confirmed on January 15, 2026, that the compromised server contained first and last names, addresses, Social Security numbers, dates of birth, and protected health information. The types of data varied from individual to individual. Sedgwick said that on January 2, 2026, a threat group identifying itself as TridentLocker claimed responsibility for the incident and published approximately 3.4 GB of data on a dark web data leak site.
Since stolen data has been published, the affected individuals should ensure that they sign up for the complimentary credit monitoring and identity theft protection services being offered. Those services include an identity theft insurance policy. Sedgwick said it had implemented cybersecurity measures prior to the incident to protect its systems and data, and has taken further steps to enhance privacy protections. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
