Active breach tracker Carmel, Indiana Disclosed February 7, 2025

Blue & Co., LLC Data Breach 2025: 228,999 Affected · 30-Minute Server Intrusion · Notice From Your Provider, Not Blue & Co. Directly

Indiana CPA and consulting firm Blue & Co., LLC was breached on November 7, 2024 in a server intrusion lasting under 30 minutes. The firm acted as a business associate to hospitals, physician groups, dental practices, and pharmacies. 228,999 individuals had names, Social Security numbers, financial data, and medical records exposed. Notifications mailed by Kroll on behalf of provider clients beginning July 3, 2025.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 7, 2024

Unauthorized access to a single Blue & Co. server endpoint; data exfiltration in under 30 minutes

Dec 9, 2024

Blue & Co. learns of the incident after an unauthorized actor claims to have taken data; server isolated and third-party forensics engaged

Feb 7, 2025

HIPAA breach notification filed with HHS Office for Civil Rights

May 20, 2025

Data review concludes, identifying affected individuals and data elements

Jul 3, 2025

Blue & Co. issues official notice of data event; individual notification letters begin mailing via Kroll on behalf of provider clients

Jul 8, 2025

Plaintiff firms publicly open class-action investigations

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers Driver's license numbers Passport numbers

02

Health records

Don't expire and can't be reissued

Medical record numbers and patient identification numbers Diagnostic information and diagnostic codes Procedure type, admission date, treatment location, treatment cost Prescription information

03

Contact & insurance

Phishing + targeted scams

Names Dates of birth Individual tax identification numbers Financial account information (with or without access credentials) Usernames and passwords Medical information Mental or physical condition information Treating or referring physician information Medicare identification numbers Billing and claims information, patient encounter numbers Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Console & Associates, P.C. Strauss Borrelli PLLC The Lyon Firm Gibbs Law Group / GS Legal Srourian Law Firm (SLFLA)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Blue & Co., LLC, a Carmel, Indiana accounting and consulting firm with offices across Indiana, Ohio, Kentucky, Michigan, and Texas, suffered a server intrusion on November 7, 2024 that lasted less than 30 minutes but resulted in the exfiltration of personal and protected health information for 228,999 individuals. Blue & Co. acts as a HIPAA business associate to hospitals, physician groups, dental practices, and pharmacies, which means most affected people are patients of those provider clients, not direct Blue & Co. customers. If you are affected, the notification letter you receive will almost certainly be mailed in the name of your provider, with Blue & Co. identified inside as the source of the incident.

Blue & Co. learned of the breach on December 9, 2024, when an unauthorized actor claimed to have taken data from one of its servers. The firm isolated the affected server, engaged third-party forensic specialists, completed its data review on May 20, 2025, and began mailing notification letters through Kroll on July 3, 2025. The HIPAA filing with the U.S. Department of Health and Human Services Office for Civil Rights was made on February 7, 2025.

Timeline

  • November 7, 2024 — Unauthorized access to a single Blue & Co. server endpoint. Data exfiltration occurs in under 30 minutes.
  • December 9, 2024 — Blue & Co. learns of the incident after an unauthorized actor claims possession of the data. The server is isolated and third-party forensics are engaged.
  • February 7, 2025 — HIPAA breach notification filed with HHS OCR, reporting a Hacking/IT Incident at a Network Server affecting 228,999 individuals.
  • May 20, 2025 — Data review concludes, identifying the specific individuals and data elements involved.
  • July 3, 2025 — Blue & Co. issues its official notice of data event. Individual notification letters begin mailing through Kroll, in many cases under the name of the affected provider client.
  • July 8, 2025 — Multiple plaintiff firms publicly open class-action investigations.

What was exposed

The data elements vary by individual, but per Blue & Co.’s own notice and reporting by Console & Associates and the Strauss Borrelli investigation, the impacted files identified the following:

  • Name, date of birth, Social Security number
  • Driver’s license number, passport number, individual tax identification number
  • Financial account information, with or without access credentials
  • Username and password
  • Medical information, medical record number, patient identification number
  • Diagnostic information, diagnostic code, procedure type, admission date
  • Treatment location, treatment cost, prescription information
  • Mental or physical condition, treating or referring physician
  • Medicare identification number, billing and claims information, patient encounter number
  • Health insurance information

The combination of Social Security number plus full medical record context is unusually rich for an accounting-firm breach and reflects the fact that Blue & Co. handled both tax and revenue-cycle / consulting engagements for healthcare clients.

Who’s notifying you — the notice may come from your provider, not Blue & Co.

Blue & Co. is a HIPAA business associate. Under HIPAA, a business associate that suffers a breach generally notifies the covered entity (your provider), and your provider notifies you. In this incident, individual notification letters are being mailed by Kroll on behalf of provider clients. That means:

  • The envelope and letterhead you receive may show your hospital, physician group, dental practice, or pharmacy as the sender, with Blue & Co. identified inside as the firm that experienced the underlying incident.
  • A single household may receive multiple letters if more than one provider used Blue & Co.
  • The complimentary identity monitoring service offered is administered by Kroll and includes credit monitoring for both adults and minors, unlimited fraud consultation, and identity theft restoration services. The enrollment instructions and unique code are in the letter.

Blue & Co. has published its own security breach notification page at blueandco.com/security-breach, and a dedicated notification portal at info.blueandco.com/2025-blue-co.-llc-notification. If you received a letter referencing Blue & Co. but cannot identify which of your providers shared data with them, you can call the dedicated response line at 866-819-2990 (Monday through Friday, 9 a.m. to 6:30 p.m. Eastern). You may also contact the firm’s Security Officer directly at 317-848-8920 or [email protected].

Downstream provider customers

Blue & Co.’s own notice and subsequent reporting describe the client universe as hospitals, physician groups, dental practices, and pharmacies in the firm’s regional footprint (Indiana, Ohio, Kentucky, Michigan, and Texas), but does not publish a comprehensive list of affected institutions. Two named clients have publicly confirmed their patients were affected:

  • Murray-Calloway County Hospital (MCCH), Murray, Kentucky — the hospital notified patients that Blue & Co., which provides auditing services to MCCH, experienced the incident. Coverage confirmed by the Murray Ledger & Times.
  • Trigg County Hospital, Cadiz, Kentucky — the hospital separately notified patients. Coverage confirmed by WKDZ Radio (September 10, 2025).

Both Kentucky hospitals used Blue & Co. for accounting and CPA services. If you are a patient of a hospital or physician group in Indiana, Ohio, Kentucky, Michigan, or Texas and have not yet received a notification letter, check that letter carefully when it arrives, as mailing was still in progress through the fall of 2025. We will update this section as additional provider clients file substitute notices with state attorneys general or post breach notices on their patient-portal sites.

Class-action posture

Multiple plaintiff firms have publicly opened investigations of the Blue & Co. breach, including Console & Associates, P.C.; Strauss Borrelli PLLC; The Lyon Firm; GS Legal / Gibbs Law Group; and Srourian Law Firm. As of this update, no consolidated class-action complaint with a public case caption and case number has been confirmed in the sources reviewed. Filings, if and when they appear, would most plausibly land in the U.S. District Court for the Southern District of Indiana (Blue & Co.’s home district) or in state court in Hamilton County, Indiana.

The HHS OCR portal entry remains open at the time of this update.

What to do

  • Read every envelope. Because Blue & Co. is a business associate, your notice may arrive in the name of your provider. Do not discard it as junk mail. The unique enrollment code for Kroll monitoring is single-use and printed inside the letter.
  • Freeze your credit with Equifax, Experian, and TransUnion. With Social Security numbers, driver’s license and passport numbers, and financial account data exposed, a security freeze is materially more protective than monitoring alone. It is free and reversible.
  • Enroll in the Kroll monitoring that comes with your letter, even if you also freeze your credit. The two services protect against different threats.
  • Change reused passwords. Usernames and passwords were among the exposed data elements. If you reuse any password that lives on a provider portal, change it everywhere you use it and turn on two-factor authentication.
  • Watch for medical identity theft. Diagnostic codes, prescription information, and health insurance data were exposed. Review every Explanation of Benefits from your insurer for the next 12 to 24 months and request a copy of your medical record if you see services or prescriptions you did not receive.
  • Be alert to targeted phishing. Threat actors with name, date of birth, provider context, and diagnostic detail can craft highly convincing follow-on lures. Treat any unexpected call or email referencing your medical care or billing with skepticism, and call your provider back at a number you look up independently.
  • Stop the ongoing flow of your health data. The medical records, diagnostic codes, billing details, and prescription data exposed in this breach are not just at Blue & Co. They continue to circulate among hospitals, physician groups, and other business associates every time your provider shares records for treatment, payment, or operations. HealthConsent files HIPAA restriction requests so the medical and financial data exposed in this breach is not continuously re-shared across provider networks without your consent.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.