Benefits Management Group, Inc. Data Breach 2025: 501 Affected · Hacking/IT Incident · IL. Filed With HHS OCR. What To Do.
Benefits Management Group, Inc. (IL) filed a HIPAA breach notification with the HHS Office for Civil Rights on January 24, 2025, reporting 501 affected individuals in a Hacking/IT Incident event at Network Server. The HHS OCR portal entry is the primary public record; further details are not yet publicly disclosed o...
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Oct 24, 2024
Unauthorized access to BMGI systems begins (per forensic investigation).
Nov 26, 2024
BMGI detects suspicious activity on its computer systems.
Dec 2, 2024
End of confirmed unauthorized access window.
Jan 24, 2025
Breach report filed with HHS Office for Civil Rights (501 individuals reported).
Jul 21, 2025
Public substitute notice and notification letters to affected individuals; state AG filings (e.g., Massachusetts, Texas).
Oct 24, 2024
Unauthorized access to BMGI systems begins (per forensic investigation).
Nov 26, 2024
BMGI detects suspicious activity on its computer systems.
Dec 2, 2024
End of confirmed unauthorized access window.
Jan 24, 2025
Breach report filed with HHS Office for Civil Rights (501 individuals reported).
Jul 21, 2025
Public substitute notice and notification letters to affected individuals; state AG filings (e.g., Massachusetts, Texas).
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Benefits Management Group, Inc. (BMGI), an Oak Brook, Illinois benefits administrator that handles health, welfare, and retirement plans on behalf of plan sponsors, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on January 24, 2025, reporting 501 affected individuals in a Hacking/IT Incident at a network server. The 501 figure on the OCR portal is a HIPAA placeholder used when the regulated entity must report within 60 days of discovery before the file review is complete. State attorney-general filings later in 2025 confirmed the population is materially larger: at least 303 Massachusetts residents and 617 Texas residents were notified, and the final national count is expected to be higher.
Timeline
- October 24, 2024: Per BMGI’s forensic investigation, an unauthorized third party first accessed BMGI’s network.
- November 26, 2024: BMGI detected suspicious activity on its computer systems and engaged outside cybersecurity counsel and forensics.
- December 2, 2024: End of the confirmed unauthorized-access window; the actor copied files during this period.
- January 24, 2025: BMGI filed the breach with HHS OCR as a Hacking/IT Incident at a network server, reporting 501 individuals as an interim count.
- July 21, 2025: BMGI issued public substitute notice and began mailing individual notification letters; filings were also submitted to state regulators including the Massachusetts and Texas Attorneys General.
What was exposed
Across BMGI’s notification letter, state AG filings, and law-firm summaries, the data elements reported as potentially involved include:
- Names and addresses
- Dates of birth
- Social Security numbers
- Driver’s license or state identification numbers
- Passport numbers
- Financial account information and direct-deposit details
- Health insurance and pension-plan administration data
- Copies of marriage certificates and U.S. military service certificates held in plan files
The combination of full identifiers (name plus SSN plus DOB) with financial-account and direct-deposit data makes this a higher-risk dataset for identity theft and account-takeover fraud than a names-plus-addresses-only breach.
What BMGI is offering affected individuals
BMGI’s notification offers complimentary Equifax Credit Watch Gold credit monitoring and identity-restoration services. A dedicated assistance line is available at 855-260-8115, Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time. The enrollment deadline and activation code are included on each individual notification letter.
Class-action status
As of this writing, multiple plaintiffs’ firms (including Strauss Borrelli, Migliaccio & Rathod, Federman & Sherwood, and Console & Associates) have publicly announced investigations into BMGI on behalf of affected individuals. No consolidated class action has been filed and no settlement has been reached. ClassAction.org has closed its own investigation page without filing.
What to do if you may be affected
- Enroll in the credit monitoring BMGI is offering. Equifax Credit Watch Gold is paid for by the entity; activate it before the deadline on your letter.
- Freeze your credit at Equifax, Experian, and TransUnion. Credit monitoring tells you after fraud happens; a freeze prevents new accounts from being opened in your name. It is free and takes about ten minutes per bureau.
- If your passport or driver’s license number was listed, consider requesting replacement numbers from the issuing agency, especially if you have seen any unusual activity.
- Watch your bank and direct-deposit settings. Confirm that no pension or payroll direct deposit has been redirected, and enable account-change alerts where your institution offers them.
- Keep your notification letter. It documents your status as an affected individual for any future class-action claim or identity-theft dispute.
Sources on this page
- HHS Office for Civil Rights Breach Portal — federal regulatory record of this breach.
- Console & Associates / JD Supra — early summary of the BMGI cybersecurity event and notification.
- ClaimDepot investigation page — detailed data-element list, dates, and Equifax remedy.
- Strauss Borrelli PLLC investigation announcement — plaintiffs’ firm summary of the breach.
- Migliaccio & Rathod LLP investigation announcement — additional confirmation of breach details and timeline.
- Federman & Sherwood investigation summary — confirms Equifax Credit Watch Gold offering and access window.
- ClassAction.org case-status page — independent confirmation of breach timing and exposed data; investigation closed without filing.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Console & Associates / JD Supra — Cybersecurity Event at Benefits Management Group Results in Data Breach
- ClaimDepot — Benefits Management Group Data Breach Investigation
- Strauss Borrelli PLLC — Benefits Management Group Data Breach Investigation
- Migliaccio & Rathod LLP — Benefits Management Group, Inc. Data Breach Investigation
- Federman & Sherwood — BMGI Data Breach Investigation
- ClassAction.org — Benefits Management Group January 2025 lawsuit investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.