Active breach tracker Deerfield, Illinois Disclosed July 29, 2025

Alera Group Data Breach 2025: 155,567 Affected · Hacking/IT Incident · Deerfield, IL Business Associate. $2M Settlement Claim Deadline June 29, 2026. What To Do

Alera Group, Inc. — a national insurance brokerage and employee-benefits firm acting as a HIPAA business associate — reported 155,567 individuals affected by a July 2024 network intrusion. Notification letters went out May 21, 2025; the HHS OCR filing landed July 29, 2025. A consolidated class action alleges a class of roughly 873,211 and reached a $2M preliminary settlement on March 30, 2026. Claim deadline is June 29, 2026. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jul 19, 2024

Unauthorized access to Alera Group network begins (per investigation).

Aug 1, 2024

Alera detects suspicious activity in August 2024 and begins forensic investigation.

Aug 4, 2024

Unauthorized access ends (close of intrusion window).

Apr 28, 2025

File review concludes; Alera confirms personal information may have been removed from its environment.

May 21, 2025

Alera issues notice of privacy incident and begins notifying individuals.

Jul 29, 2025

Alera reports the breach to HHS OCR — 155,567 affected, Hacking/IT Incident at Network Server.

Mar 30, 2026

Florida court grants preliminary approval to a $2M class settlement in Grubb v. Alera Group (Case No. CACE25019102, Broward County), covering an expanded class of approximately 873,211.

Jun 29, 2026

Claim-filing deadline for the proposed Alera Group settlement.

Aug 3, 2026

Final fairness/approval hearing scheduled.

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number Passport number Biometric information

02

Health records

Don't expire and can't be reissued

Medical history, diagnoses, medications, treatment/testing information Medical record number

03

Contact & insurance

Phishing + targeted scams

Name Address Demographic information Birth/marriage certificates Financial account and credit card information Other government-issued ID Health insurance/claims data Medicare/Medicaid ID Electronic/digital signature Username and password

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC (investigating) Cole & Van Note (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Alera Group, Inc. is a Deerfield, Illinois–based national insurance brokerage and employee-benefits firm that operates as a HIPAA business associate to many employer health plans. On July 29, 2025, Alera reported a Hacking/IT Incident at a Network Server to the HHS Office for Civil Rights, affecting 155,567 individuals. Notification letters had begun going out on May 21, 2025, roughly nine months after Alera first detected suspicious network activity in August 2024. A consolidated class action later put the broader affected population — including downstream clients and partners — at approximately 873,211, and a Florida court granted preliminary approval to a $2 million settlement on March 30, 2026.

Timeline

  • July 19 – August 4, 2024 — Unauthorized access to Alera Group’s technology environment (intrusion window confirmed by forensic investigation).
  • August 2024 — Alera detects suspicious network activity and engages third-party cybersecurity specialists.
  • April 28, 2025 — File review concludes; Alera confirms personal information may have been removed from its network.
  • May 21, 2025 — Alera publishes its notice of privacy incident and begins mailing individual notification letters.
  • July 29, 2025 — Alera files with HHS OCR (155,567 affected; Business Associate; Hacking/IT Incident at Network Server). State attorney general filings confirmed in California, Maine, Texas, Washington, Massachusetts, Vermont, Iowa, South Carolina, Montana, and New Hampshire.
  • March 30, 2026 — Florida court grants preliminary approval to a $2M class settlement in Grubb v. Alera Group, Inc. (Case No. CACE25019102, Broward County), based on an expanded class of ~873,211.
  • June 29, 2026 — Deadline to file a claim under the proposed settlement.
  • August 3, 2026 — Final approval hearing scheduled.

What was exposed

Alera Group’s own notice and HIPAA Journal’s reporting describe a wide-ranging mix of identity, financial, and health data. Not every individual had every element exposed; your specific notification letter is the authoritative list for you. The categories Alera confirmed include:

  • Name, address, demographic information, date of birth.
  • Birth and marriage certificates.
  • Social Security number, driver’s license number, passport number, other government-issued IDs.
  • Financial account and credit card information.
  • Medical history, diagnoses, medications, treatment and testing information, medical record numbers.
  • Health insurance and claims data, including Medicare and Medicaid IDs.
  • Electronic and digital signatures, biometric information.
  • Username and password credentials.

That last item — credentials — is the most operationally urgent, because reused passwords can be replayed against email, banking, and benefits portals.

What Alera Group is offering

Alera’s initial notification letters included an offer of 24 months of complimentary credit monitoring and identity-theft protection through IDX. Enrollment instructions directed individuals to:

  • Enrollment portal: https://response.idx.us/aleraemployees/
  • Dedicated call center: 855-202-2008, Monday through Friday, 8:00 a.m. to 8:00 p.m. CT, excluding major U.S. holidays.
  • Initial enrollment deadline: August 21, 2025 (per the original notice); a supplemental California AG notice extended that window to October 29, 2025 for impacted California residents.

If you missed those deadlines but are part of the class settlement, the settlement separately provides two years of CyEx medical and financial data monitoring for class members who submit a valid claim form by June 29, 2026.

Who’s notifying you (BA — through your employer or plan)

Alera Group is a business associate. That means most affected people did not have a direct customer relationship with Alera: they were employees, dependents, or members of an employer-sponsored plan, professional association, or carrier client that engaged Alera for brokerage, benefits administration, or related services. In Alera’s words, “these individuals are related to the businesses who are our clients and partners.”

Practically, that means:

  • Your notification letter may arrive on Alera’s letterhead even if you have never heard of Alera.
  • Your employer, HR department, or plan administrator may also send a separate communication.
  • Credit-monitoring enrollment details and call-center information are in the letter itself; do not enter personal information into any sites that arrive via unsolicited email or text.

Downstream employer plans

Alera serves a large book of employer clients across health and welfare benefits, retirement plans, and property/casualty lines. Public filings have not enumerated every downstream client, but the class-action complaint and the supplemental California AG notice indicate the affected population spans current and former Alera employees, their dependents, and individuals who received services through Alera’s clients and third-party providers. If you’ve ever enrolled in an employer benefit administered or brokered with Alera’s involvement, treat any letter referencing this incident as legitimate until proven otherwise — then verify through your employer’s HR/benefits channel.

Class-action posture

Multiple proposed class actions were filed in 2025 alleging Alera failed to implement reasonable cybersecurity measures and delayed individual notification by nearly a year. Among the named federal cases is Hegarty v. Alera Group, Inc., Case No. 1:25-cv-09169 (N.D. Ill., filed August 4, 2025). Law firms Strauss Borrelli PLLC and Cole & Van Note announced parallel investigations. The cases were consolidated in Florida state court as Sophia Grubb, et al. v. Alera Group, Inc., Case No. CACE25019102 (Circuit Court for Broward County). On March 30, 2026, the court granted preliminary approval to a $2,000,000 non-reversionary settlement covering an expanded class of approximately 873,211 current and former employees, dependents, clients, and partners.

Settlement terms (per the preliminary approval order and class notice):

  • Up to $3,500 in documented out-of-pocket losses for class members with proof of losses traceable to the breach, incurred between July 19, 2024 and June 29, 2026.
  • Alternatively, an approximately $50 flat cash payment with no proof required.
  • Two years of CyEx medical and financial data monitoring for all claimants.
  • Claim deadline: June 29, 2026 (via AleraGroupDataSettlement.com).
  • Final approval hearing: August 3, 2026 at 8:45 a.m. ET via Zoom before the Broward County Circuit Court.

Final approval, the precise per-claim cash amount, and timing of payments are subject to the court’s order following the August 3 hearing.

What to do

  1. Enroll in monitoring now. If you received a notification letter and the IDX enrollment window has passed, you can still claim two years of CyEx monitoring through the class settlement at AleraGroupDataSettlement.com before June 29, 2026. For IDX questions, call 855-202-2008, Monday–Friday, 8 a.m.–8 p.m. CT.

  2. File a settlement claim before the June 29, 2026 deadline. Submit the no-proof $50 option, or the documented-loss path (up to $3,500) if you have receipts for identity-theft expenses incurred July 19, 2024 through June 29, 2026.

  3. Freeze your credit at Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single most effective step against new-account fraud given that SSNs, driver’s-license numbers, and passport numbers were all confirmed exposed.

  4. Rotate every password you reused with an Alera-related benefits portal, and enable multi-factor authentication on your email, bank, and benefits accounts. Credential exposure was confirmed.

  5. Watch for medical-identity misuse. Because diagnoses, treatment records, and Medicare/Medicaid IDs were involved, scrutinize every Explanation of Benefits statement. If anything looks unfamiliar, request an accounting of disclosures from the relevant provider.

  6. File IRS Form 14039 if you are concerned about tax refund fraud. The SSN and financial-account combination exposed here is exactly the profile tax-identity thieves target.

  7. Verify all communications. Phishing that references “Alera Group” and “settlement” is predictable. Confirm enrollment links through the printed letter, Alera’s privacy-incident page, or the court-approved settlement website — not through unsolicited email or SMS.

  8. Stop the ongoing flow of your health and benefits data. HealthConsent files HIPAA restriction requests so the insurance, claims, and medical-history data exposed in this breach is not continuously re-shared across employer-benefit networks and clearinghouses. Start a request at HealthConsent.org.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.