Blue & Co., LLC Data Breach 2025: 228,999 Affected · 30-Minute Server Intrusion · Notice From Your Provider, Not Blue & Co. Directly
Indiana CPA and consulting firm Blue & Co., LLC was breached on November 7, 2024 in a server intrusion lasting under 30 minutes. The firm acted as a business associate to hospitals, physician groups, dental practices, and pharmacies. 228,999 individuals had names, Social Security numbers, financial data, and medical records exposed. Notifications mailed by Kroll on behalf of provider clients beginning July 3, 2025.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 7, 2024
Unauthorized access to a single Blue & Co. server endpoint; data exfiltration in under 30 minutes
Dec 9, 2024
Blue & Co. learns of the incident after an unauthorized actor claims to have taken data; server isolated and third-party forensics engaged
Feb 7, 2025
HIPAA breach notification filed with HHS Office for Civil Rights
May 20, 2025
Data review concludes, identifying affected individuals and data elements
Jul 3, 2025
Blue & Co. issues official notice of data event; individual notification letters begin mailing via Kroll on behalf of provider clients
Jul 8, 2025
Plaintiff firms publicly open class-action investigations
Nov 7, 2024
Unauthorized access to a single Blue & Co. server endpoint; data exfiltration in under 30 minutes
Dec 9, 2024
Blue & Co. learns of the incident after an unauthorized actor claims to have taken data; server isolated and third-party forensics engaged
Feb 7, 2025
HIPAA breach notification filed with HHS Office for Civil Rights
May 20, 2025
Data review concludes, identifying affected individuals and data elements
Jul 3, 2025
Blue & Co. issues official notice of data event; individual notification letters begin mailing via Kroll on behalf of provider clients
Jul 8, 2025
Plaintiff firms publicly open class-action investigations
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Blue & Co., LLC, a Carmel, Indiana accounting and consulting firm with offices across Indiana, Ohio, Kentucky, Michigan, and Texas, suffered a server intrusion on November 7, 2024 that lasted less than 30 minutes but resulted in the exfiltration of personal and protected health information for 228,999 individuals. Blue & Co. acts as a HIPAA business associate to hospitals, physician groups, dental practices, and pharmacies, which means most affected people are patients of those provider clients, not direct Blue & Co. customers. If you are affected, the notification letter you receive will almost certainly be mailed in the name of your provider, with Blue & Co. identified inside as the source of the incident.
Blue & Co. learned of the breach on December 9, 2024, when an unauthorized actor claimed to have taken data from one of its servers. The firm isolated the affected server, engaged third-party forensic specialists, completed its data review on May 20, 2025, and began mailing notification letters through Kroll on July 3, 2025. The HIPAA filing with the U.S. Department of Health and Human Services Office for Civil Rights was made on February 7, 2025.
Timeline
- November 7, 2024 — Unauthorized access to a single Blue & Co. server endpoint. Data exfiltration occurs in under 30 minutes.
- December 9, 2024 — Blue & Co. learns of the incident after an unauthorized actor claims possession of the data. The server is isolated and third-party forensics are engaged.
- February 7, 2025 — HIPAA breach notification filed with HHS OCR, reporting a Hacking/IT Incident at a Network Server affecting 228,999 individuals.
- May 20, 2025 — Data review concludes, identifying the specific individuals and data elements involved.
- July 3, 2025 — Blue & Co. issues its official notice of data event. Individual notification letters begin mailing through Kroll, in many cases under the name of the affected provider client.
- July 8, 2025 — Multiple plaintiff firms publicly open class-action investigations.
What was exposed
The data elements vary by individual, but per Blue & Co.’s own notice and reporting by Console & Associates and the Strauss Borrelli investigation, the impacted files identified the following:
- Name, date of birth, Social Security number
- Driver’s license number, passport number, individual tax identification number
- Financial account information, with or without access credentials
- Username and password
- Medical information, medical record number, patient identification number
- Diagnostic information, diagnostic code, procedure type, admission date
- Treatment location, treatment cost, prescription information
- Mental or physical condition, treating or referring physician
- Medicare identification number, billing and claims information, patient encounter number
- Health insurance information
The combination of Social Security number plus full medical record context is unusually rich for an accounting-firm breach and reflects the fact that Blue & Co. handled both tax and revenue-cycle / consulting engagements for healthcare clients.
Who’s notifying you — the notice may come from your provider, not Blue & Co.
Blue & Co. is a HIPAA business associate. Under HIPAA, a business associate that suffers a breach generally notifies the covered entity (your provider), and your provider notifies you. In this incident, individual notification letters are being mailed by Kroll on behalf of provider clients. That means:
- The envelope and letterhead you receive may show your hospital, physician group, dental practice, or pharmacy as the sender, with Blue & Co. identified inside as the firm that experienced the underlying incident.
- A single household may receive multiple letters if more than one provider used Blue & Co.
- The complimentary identity monitoring service offered is administered by Kroll and includes credit monitoring for both adults and minors, unlimited fraud consultation, and identity theft restoration services. The enrollment instructions and unique code are in the letter.
Blue & Co. has published its own security breach notification page at blueandco.com/security-breach, and a dedicated notification portal at info.blueandco.com/2025-blue-co.-llc-notification. If you received a letter referencing Blue & Co. but cannot identify which of your providers shared data with them, you can call the dedicated response line at 866-819-2990 (Monday through Friday, 9 a.m. to 6:30 p.m. Eastern). You may also contact the firm’s Security Officer directly at 317-848-8920 or [email protected].
Downstream provider customers
Blue & Co.’s own notice and subsequent reporting describe the client universe as hospitals, physician groups, dental practices, and pharmacies in the firm’s regional footprint (Indiana, Ohio, Kentucky, Michigan, and Texas), but does not publish a comprehensive list of affected institutions. Two named clients have publicly confirmed their patients were affected:
- Murray-Calloway County Hospital (MCCH), Murray, Kentucky — the hospital notified patients that Blue & Co., which provides auditing services to MCCH, experienced the incident. Coverage confirmed by the Murray Ledger & Times.
- Trigg County Hospital, Cadiz, Kentucky — the hospital separately notified patients. Coverage confirmed by WKDZ Radio (September 10, 2025).
Both Kentucky hospitals used Blue & Co. for accounting and CPA services. If you are a patient of a hospital or physician group in Indiana, Ohio, Kentucky, Michigan, or Texas and have not yet received a notification letter, check that letter carefully when it arrives, as mailing was still in progress through the fall of 2025. We will update this section as additional provider clients file substitute notices with state attorneys general or post breach notices on their patient-portal sites.
Class-action posture
Multiple plaintiff firms have publicly opened investigations of the Blue & Co. breach, including Console & Associates, P.C.; Strauss Borrelli PLLC; The Lyon Firm; GS Legal / Gibbs Law Group; and Srourian Law Firm. As of this update, no consolidated class-action complaint with a public case caption and case number has been confirmed in the sources reviewed. Filings, if and when they appear, would most plausibly land in the U.S. District Court for the Southern District of Indiana (Blue & Co.’s home district) or in state court in Hamilton County, Indiana.
The HHS OCR portal entry remains open at the time of this update.
What to do
- Read every envelope. Because Blue & Co. is a business associate, your notice may arrive in the name of your provider. Do not discard it as junk mail. The unique enrollment code for Kroll monitoring is single-use and printed inside the letter.
- Freeze your credit with Equifax, Experian, and TransUnion. With Social Security numbers, driver’s license and passport numbers, and financial account data exposed, a security freeze is materially more protective than monitoring alone. It is free and reversible.
- Enroll in the Kroll monitoring that comes with your letter, even if you also freeze your credit. The two services protect against different threats.
- Change reused passwords. Usernames and passwords were among the exposed data elements. If you reuse any password that lives on a provider portal, change it everywhere you use it and turn on two-factor authentication.
- Watch for medical identity theft. Diagnostic codes, prescription information, and health insurance data were exposed. Review every Explanation of Benefits from your insurer for the next 12 to 24 months and request a copy of your medical record if you see services or prescriptions you did not receive.
- Be alert to targeted phishing. Threat actors with name, date of birth, provider context, and diagnostic detail can craft highly convincing follow-on lures. Treat any unexpected call or email referencing your medical care or billing with skepticism, and call your provider back at a number you look up independently.
- Stop the ongoing flow of your health data. The medical records, diagnostic codes, billing details, and prescription data exposed in this breach are not just at Blue & Co. They continue to circulate among hospitals, physician groups, and other business associates every time your provider shares records for treatment, payment, or operations. HealthConsent files HIPAA restriction requests so the medical and financial data exposed in this breach is not continuously re-shared across provider networks without your consent.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (filing dated 2025-02-07; 228,999 affected; Hacking/IT Incident at Network Server; Business Associate).
- Blue & Co., LLC — Security Breach Notification — entity’s own notice page confirming timeline, exposed data categories, Kroll monitoring offer, call center number (866-819-2990), and Security Officer contact.
- Yahoo Finance / Cision PR Newswire — Blue & Co., LLC Provides Notice of Data Event — official press release, exposed data elements, business-associate language, Kroll monitoring offer.
- KXAN / Cision PR Newswire reprint — official notice text with full data-element list and notification dates.
- JDSupra / Console & Associates — Accounting Firm Blue & Co. Files Notice of Data Breach With Federal Regulators — federal filing summary and plaintiff-side investigation.
- Strauss Borrelli PLLC — Blue & Co. Data Breach Investigation — confirmation of provider-client universe (hospitals, physician groups, dental practices, pharmacies) and notification mailing date.
- The Lyon Firm — Blue & Co. Data Breach Investigation — class-action investigation summary.
- SLFLA (Srourian Law Firm) — Data Breach Alert: Blue & Co., LLC — dedicated class-action investigation page.
- Murray Ledger & Times — Financial consulting firm informs MCCH customers of data security incident — local press confirming Murray-Calloway County Hospital (Kentucky) as a named downstream client.
- WKDZ Radio — Trigg County Hospital Patients Notified Of Data Breach With Partner Company — local press confirming Trigg County Hospital (Kentucky) as a named downstream client.
- ClaimDepot — Blue & Co. Data Breach Exposes Social Security Numbers — timeline detail (data review completion May 20, 2025), exposed data, Kroll monitoring.
- DataBreachClassAction.io — Blue & Co. Data Breach Class Action Investigation — plaintiff-firm investigation summary and HHS filing detail.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Blue & Co., LLC — Security Breach Notification (entity's own notice page)
- Yahoo Finance / Cision PR Newswire — Blue & Co., LLC Provides Notice of Data Event
- KXAN / Cision PR Newswire — Blue & Co., LLC Provides Notice of Data Event
- JDSupra / Console & Associates — Accounting Firm Blue & Co. Files Notice of Data Breach With Federal Regulators
- Strauss Borrelli PLLC — Blue & Co. Data Breach Investigation
- The Lyon Firm — Blue & Co. Data Breach Investigation
- SLFLA (Srourian Law Firm) — Data Breach Alert: Blue & Co., LLC
- Murray Ledger & Times — Financial consulting firm informs MCCH customers of data security incident
- WKDZ Radio — Trigg County Hospital Patients Notified Of Data Breach With Partner Company
- ClaimDepot — Blue & Co. Data Breach Exposes Social Security Numbers
- DataBreachClassAction.io — Blue & Co. Data Breach Class Action Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.