Allied Services Division Welfare Fund Data Breach 2025: 5,727 Affected · Employee Email Compromise · IL Union Health Plan. Filed With HHS OCR. What To Do.
Allied Services Division Welfare Fund, an Arlington Heights, Illinois union health-and-welfare plan, disclosed in 2025 that an unauthorized actor accessed an employee email account between October 9 and November 26, 2024. The Fund filed with the HHS Office for Civil Rights reporting 5,727 affected individuals and is offering 24 months of Experian IdentityWorks credit monitoring to those whose name, Social Security number, driver's license, date of birth, medical records, health insurance, or financial-account information may have been exposed.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Oct 9, 2024
Earliest date of unauthorized access to an employee email account (per the Fund's forensic conclusion: Oct. 9 – Nov. 26, 2024).
Nov 25, 2024
The Fund detected suspicious activity in the employee email account and began an investigation with outside cybersecurity counsel.
May 7, 2025
Breach reported to the HHS Office for Civil Rights (5,727 individuals; Hacking/IT Incident — Email).
Jun 30, 2025
Forensic review concluded that personal information in the mailbox may have been accessed or acquired.
Jul 30, 2025
Breach notice filed with the California Attorney General; substantively similar filings followed with Massachusetts, Montana, New Hampshire, and Texas regulators.
Oct 6, 2025
Individual notification letters mailed to affected participants and beneficiaries, including the sample letter posted by the Montana Department of Justice.
Oct 9, 2024
Earliest date of unauthorized access to an employee email account (per the Fund's forensic conclusion: Oct. 9 – Nov. 26, 2024).
Nov 25, 2024
The Fund detected suspicious activity in the employee email account and began an investigation with outside cybersecurity counsel.
May 7, 2025
Breach reported to the HHS Office for Civil Rights (5,727 individuals; Hacking/IT Incident — Email).
Jun 30, 2025
Forensic review concluded that personal information in the mailbox may have been accessed or acquired.
Jul 30, 2025
Breach notice filed with the California Attorney General; substantively similar filings followed with Massachusetts, Montana, New Hampshire, and Texas regulators.
Oct 6, 2025
Individual notification letters mailed to affected participants and beneficiaries, including the sample letter posted by the Montana Department of Justice.
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Allied Services Division Welfare Fund, an Arlington Heights, Illinois Taft-Hartley union health-and-welfare plan, disclosed in 2025 that an unauthorized actor had gained access to an employee email mailbox for roughly seven weeks in late 2024. The Fund’s breach report to the U.S. Department of Health and Human Services Office for Civil Rights lists 5,727 affected individuals under the Hacking/IT Incident — Email category. The compromised mailbox contained the kind of personal and benefits data a self-funded health plan routinely processes: names, Social Security numbers, dates of birth, driver’s license numbers, medical records, health-insurance information, and financial-account information.
There is no public attribution to a named threat group, no ransomware claim, and no indication that the Fund’s core claims-administration systems were affected. The exposure stems from email content, which is consistent with a business-email-compromise pattern rather than a network-wide intrusion.
Timeline
- October 9 – November 26, 2024 — Unauthorized access window. The Fund’s forensic investigation later concluded that an unauthorized individual had access to an employee email account during this period.
- November 25, 2024 — Detection. The Fund identified suspicious activity in the affected mailbox, secured it, and engaged outside cybersecurity counsel to investigate.
- June 30, 2025 — Determination. Forensic review concluded that personal information contained in the mailbox may have been viewed or copied. A manual document review followed to identify which individuals’ data was implicated.
- May 7, 2025 — HHS OCR filing. The Fund reported the incident to the HHS Office for Civil Rights, listing 5,727 affected individuals.
- July 30, 2025 onward — State AG filings. Substantively similar notices were filed with the California, Massachusetts, Montana, New Hampshire, and Texas attorneys general.
- Through October 6, 2025 — Individual notification letters mailed to affected participants and beneficiaries.
What was exposed
Per the consumer notification letter and state AG filings, the data elements potentially exposed in the compromised mailbox include:
- Full name
- Address
- Date of birth
- Social Security number
- Driver’s license number
- Medical records and health information
- Health-insurance information (member IDs, coverage details)
- Financial-account information
The Fund states it has no evidence of actual misuse of the information, which is the standard “no-evidence-of-misuse” language used in nearly every email-compromise notification and reflects the limits of forensic logging rather than an affirmative finding of safety.
What’s being offered
Allied Services Division Welfare Fund is offering 24 months of Experian IdentityWorks credit monitoring and identity-theft protection at no cost to individuals whose information was implicated. Enrollment instructions and the activation code are included in each individual’s notification letter.
Class-action posture
As of this update, multiple plaintiffs’ firms — including Cole & Van Note, Federman & Sherwood, FBFG, Schubert Jonckheer & Kolbe, and others — have announced investigations and are recruiting potential plaintiffs. No filed class-action complaint has been publicly docketed against the Fund. (Note: there are older, unrelated federal cases captioned “Allied Services Division Welfare Fund v. GlaxoSmithKline” and “v. Merck” — those are pharmaceutical-pricing actions in which the Fund is a plaintiff, not data-breach litigation.)
What to do if you may be affected
- Enroll in the Experian IdentityWorks monitoring offered in your notification letter before the deadline printed there. Twenty-four months is meaningful — use it.
- Place a credit freeze with Equifax, Experian, and TransUnion. SSNs and driver’s license numbers were in the mailbox; a freeze blocks new-account fraud at the source and is free at all three bureaus.
- Be alert for targeted phishing. Email-compromise breaches give attackers context — employer names, plan IDs, benefits dates — that makes follow-on phishing far more convincing. Treat any unexpected call, text, or email referencing your union benefits, the Fund, or Experian with suspicion, and confirm by calling the Fund directly using a number from your existing benefits card rather than one provided in a message.
- If your driver’s license number was listed, request a replacement license through your state DMV if it offers fraud-related reissuance; some states issue a new number where misuse is suspected.
- If your financial-account information was listed, contact your bank or credit union to review recent activity and consider changing account or routing numbers.
Sources on this page
- HHS Office for Civil Rights Breach Portal — federal regulatory record of this breach.
- Montana DOJ — consumer notification letter (PDF) — sample of the individual letter the Fund mailed to affected persons.
- Massachusetts AG — 2025-1695 Allied Services Division Welfare Fund filing — state regulator filing.
- Cole & Van Note — investigation announcement — plaintiffs’-firm summary of exposed data elements and timeline.
- Federman & Sherwood — investigation announcement — additional timeline detail including the September 12, 2025 determination some sources reference.
- ClaimDepot — breach summary — consumer-facing summary corroborating dates, exposed elements, and Experian IdentityWorks offering.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Montana DOJ — Allied Services Division Welfare Fund consumer notification letter (PDF)
- Massachusetts AG — 2025-1695 Allied Services Division Welfare Fund filing
- Cole & Van Note — Allied Services Division Welfare Fund Data Breach Investigation
- Federman & Sherwood — Allied Services Division Welfare Fund Data Breach
- ClaimDepot — Allied Services Division Welfare Fund Breach Impacts Personal Info
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.