Active breach tracker GA Disclosed June 6, 2025

Centivo Corporation Data Breach 2025: 630 Affected · Email Unauthorized Access at a Buffalo-Headquartered TPA

Centivo Corporation, a Buffalo, New York-headquartered third-party administrator for self-funded employer health plans, filed a HIPAA breach notification with the HHS Office for Civil Rights on June 6, 2025, reporting 630 affected individuals in an Unauthorized Access/Disclosure event involving Email. The OCR portal entry is the primary public record; the entity has not posted a separate substitute notice and no class-action filings have been identified.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jun 6, 2025

Centivo Corporation files a HIPAA breach notification with the HHS Office for Civil Rights reporting 630 affected individuals; the portal categorizes the event as Unauthorized Access/Disclosure at Email and lists Centivo as a business associate

Data exposed

03

Contact & insurance

Phishing + targeted scams

Not publicly enumerated beyond 'Email' as the breach location on the HHS OCR portal entry
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Centivo Corporation, a third-party administrator (TPA) for self-funded employer health plans that operates from offices at 199 Scott Street, Suite 800, Buffalo, New York, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on June 6, 2025, reporting 630 affected individuals in an Unauthorized Access/Disclosure event involving Email. The OCR portal lists Centivo as a business associate for purposes of this filing — consistent with its role administering plans for covered-entity employer health plans rather than acting as a covered entity itself.

This page reflects what the HHS OCR portal entry publicly discloses. As of the most recent update, Centivo has not published a separate substitute notice on its corporate website, the incident does not appear in HIPAA Journal’s monthly breach roundups (which cover breaches affecting 500 or more individuals), and we have not identified state attorney general filings or class-action complaints naming Centivo in connection with this incident. We will update this page as the entity’s own notification letter, state AG filings, established trade press coverage, or court filings become available.

Timeline

  • June 6, 2025 — Centivo Corporation files a HIPAA breach notification with HHS OCR reporting 630 affected individuals. The portal entry categorizes the event as Unauthorized Access/Disclosure at Email and indicates a business associate was involved.

The HHS OCR portal does not publicly disclose the underlying incident date or the date Centivo discovered the unauthorized access. The 60-day breach-notification clock under 45 CFR 164.404 ties notification timing to discovery, so the actual unauthorized access likely occurred within roughly two months before the June 6 filing.

What was exposed

The HHS OCR portal entry lists the breach location as Email, indicating that one or more email accounts or messages were the locus of the unauthorized access or disclosure. Centivo has not publicly enumerated the specific data elements involved. Because Centivo operates as a TPA for self-funded employer plans, email accounts in its environment typically contain a mix of:

  • Plan-member identifiers (name, member ID, employer, group number)
  • Eligibility, enrollment, and benefits information
  • Claims-related correspondence (potentially including provider names, diagnosis codes, procedure codes, and dates of service)
  • In some cases, Social Security numbers, dates of birth, and addresses where required for claims adjudication or eligibility verification

Affected individuals should rely on their personal notification letter for the authoritative list of data elements involved in their case.

What the entity is offering

Centivo has not publicly disclosed credit-monitoring or identity-theft-protection terms for this incident. Notification letters typically include enrollment instructions and a single-use activation code when complimentary monitoring is offered. If you receive a letter from Centivo or a plan sponsor referencing this incident, follow the enrollment instructions in the letter rather than searching for the offer separately.

Class-action and regulatory posture

As of this update, the HHS OCR portal entry remains open. We have not identified any class-action complaints naming Centivo Corporation in connection with this June 2025 filing in publicly available court records or class-action trackers reviewed for this page. The relatively contained scope (630 individuals) and the absence of public attribution to a known threat actor reduce, but do not eliminate, plaintiff-bar interest in the incident.

What to do if you may be affected

  • Freeze your credit with Equifax, Experian, and TransUnion. Until Centivo publicly enumerates the data elements involved, assume the worst case (that Social Security numbers may be in scope) and treat a security freeze as the highest-leverage protective step. Freezes are free and reversible.
  • Watch for a notification letter addressed to you at the contact information your plan has on file. Notification letters typically follow the OCR filing by a few weeks. Read carefully for the specific data elements exposed and for any complimentary credit-monitoring offer.
  • Verify communications. Threat actors holding name, employer, and plan-administrator context can craft convincing follow-on phishing. Treat unexpected calls, emails, or texts referencing your Centivo plan with skepticism, and verify any communication by contacting your employer’s benefits administrator or Centivo directly through the phone number on your member ID card.
  • Bookmark this page. We update it as new information becomes publicly available.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.