Centivo Corporation Data Breach 2025: 630 Affected · Email Unauthorized Access at a Buffalo-Headquartered TPA
Centivo Corporation, a Buffalo, New York-headquartered third-party administrator for self-funded employer health plans, filed a HIPAA breach notification with the HHS Office for Civil Rights on June 6, 2025, reporting 630 affected individuals in an Unauthorized Access/Disclosure event involving Email. The OCR portal entry is the primary public record; the entity has not posted a separate substitute notice and no class-action filings have been identified.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jun 6, 2025
Centivo Corporation files a HIPAA breach notification with the HHS Office for Civil Rights reporting 630 affected individuals; the portal categorizes the event as Unauthorized Access/Disclosure at Email and lists Centivo as a business associate
Jun 6, 2025
Centivo Corporation files a HIPAA breach notification with the HHS Office for Civil Rights reporting 630 affected individuals; the portal categorizes the event as Unauthorized Access/Disclosure at Email and lists Centivo as a business associate
Data exposed
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Centivo Corporation, a third-party administrator (TPA) for self-funded employer health plans that operates from offices at 199 Scott Street, Suite 800, Buffalo, New York, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on June 6, 2025, reporting 630 affected individuals in an Unauthorized Access/Disclosure event involving Email. The OCR portal lists Centivo as a business associate for purposes of this filing — consistent with its role administering plans for covered-entity employer health plans rather than acting as a covered entity itself.
This page reflects what the HHS OCR portal entry publicly discloses. As of the most recent update, Centivo has not published a separate substitute notice on its corporate website, the incident does not appear in HIPAA Journal’s monthly breach roundups (which cover breaches affecting 500 or more individuals), and we have not identified state attorney general filings or class-action complaints naming Centivo in connection with this incident. We will update this page as the entity’s own notification letter, state AG filings, established trade press coverage, or court filings become available.
Timeline
- June 6, 2025 — Centivo Corporation files a HIPAA breach notification with HHS OCR reporting 630 affected individuals. The portal entry categorizes the event as Unauthorized Access/Disclosure at Email and indicates a business associate was involved.
The HHS OCR portal does not publicly disclose the underlying incident date or the date Centivo discovered the unauthorized access. The 60-day breach-notification clock under 45 CFR 164.404 ties notification timing to discovery, so the actual unauthorized access likely occurred within roughly two months before the June 6 filing.
What was exposed
The HHS OCR portal entry lists the breach location as Email, indicating that one or more email accounts or messages were the locus of the unauthorized access or disclosure. Centivo has not publicly enumerated the specific data elements involved. Because Centivo operates as a TPA for self-funded employer plans, email accounts in its environment typically contain a mix of:
- Plan-member identifiers (name, member ID, employer, group number)
- Eligibility, enrollment, and benefits information
- Claims-related correspondence (potentially including provider names, diagnosis codes, procedure codes, and dates of service)
- In some cases, Social Security numbers, dates of birth, and addresses where required for claims adjudication or eligibility verification
Affected individuals should rely on their personal notification letter for the authoritative list of data elements involved in their case.
What the entity is offering
Centivo has not publicly disclosed credit-monitoring or identity-theft-protection terms for this incident. Notification letters typically include enrollment instructions and a single-use activation code when complimentary monitoring is offered. If you receive a letter from Centivo or a plan sponsor referencing this incident, follow the enrollment instructions in the letter rather than searching for the offer separately.
Class-action and regulatory posture
As of this update, the HHS OCR portal entry remains open. We have not identified any class-action complaints naming Centivo Corporation in connection with this June 2025 filing in publicly available court records or class-action trackers reviewed for this page. The relatively contained scope (630 individuals) and the absence of public attribution to a known threat actor reduce, but do not eliminate, plaintiff-bar interest in the incident.
What to do if you may be affected
- Freeze your credit with Equifax, Experian, and TransUnion. Until Centivo publicly enumerates the data elements involved, assume the worst case (that Social Security numbers may be in scope) and treat a security freeze as the highest-leverage protective step. Freezes are free and reversible.
- Watch for a notification letter addressed to you at the contact information your plan has on file. Notification letters typically follow the OCR filing by a few weeks. Read carefully for the specific data elements exposed and for any complimentary credit-monitoring offer.
- Verify communications. Threat actors holding name, employer, and plan-administrator context can craft convincing follow-on phishing. Treat unexpected calls, emails, or texts referencing your Centivo plan with skepticism, and verify any communication by contacting your employer’s benefits administrator or Centivo directly through the phone number on your member ID card.
- Bookmark this page. We update it as new information becomes publicly available.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record of the June 6, 2025 filing (Unauthorized Access/Disclosure, Email, Business Associate, 630 individuals).
- Centivo — corporate site — entity description and TPA function for self-funded employer health plans.
- Centivo — Privacy Policy — privacy practices and contact information.
- Centivo Care — HIPAA Policy — Privacy Officer contact and corporate address (199 Scott Street, Suite 800, Buffalo, NY 14204).
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Centivo — corporate site (entity description, TPA function)
- Centivo — Privacy Policy
- Centivo Care — HIPAA Policy (Privacy Officer contact, corporate address)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.