Active breach tracker Danbury, Connecticut Disclosed July 3, 2025

Cierant Corporation Data Breach 2025 (Clop/Cleo VLTrader): 232,506 Health Plan Members Exposed. No SSN Stolen. What To Do

Cierant Corporation, a Danbury, Connecticut health-plan mailing vendor, disclosed on July 3, 2025 that 232,506 individuals had PHI exposed via the Cleo VLTrader exploit linked to Clop ransomware. Class actions are consolidated in D. Conn. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Dec 10, 2024

Cierant detects suspicious activity tied to a zero-day vulnerability in the Cleo VLTrader managed-file-transfer tool (CVE-2024-50623 / CVE-2024-55956); immediately ceases use of the tool, rotates passwords, and notifies federal law enforcement

Dec 10, 2024

Attacker gained access

Jun 26, 2025

Forensic review confirms specific files containing personal information were potentially acquired; no Social Security numbers or financial account data were in scope

Jul 3, 2025

Cierant files HIPAA breach notification with HHS OCR (232,506 individuals) and begins mailing notice letters; AG filings submitted to California, Texas, Washington, and Montana

Jul 3, 2025

Disclosed publicly

Jul 8, 2025

Plaintiff firms (Federman & Sherwood, Levi & Korsinsky, Schubert Jonckheer & Kolbe) announce investigations; BCBS-MA's Maine AG filing also surfaces

Sep 1, 2025

Judge Kari A. Dooley (D. Conn.) consolidates multiple class actions — Shields v. Cierant, Credle v. Cierant, Verriere v. Cierant and BCBS Massachusetts, Gifford v. Cierant, Almaz v. Cierant — into a single proceeding

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

Treatment-related dates Medical record numbers

03

Contact & insurance

Phishing + targeted scams

Full name Address Generic descriptions of services received Provider names Health plan beneficiary numbers Claims numbers Plan member account numbers Premium information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Schubert Jonckheer & Kolbe LLP (investigating) Levi & Korsinsky, LLP (investigating) Federman & Sherwood (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Cierant Corporation, a Danbury, Connecticut vendor that prints and mails Explanations of Benefits and health insurance appeals letters for U.S. health plans, disclosed on July 3, 2025 that 232,506 individuals had personal and health information exposed after attackers exploited a zero-day vulnerability in the Cleo VLTrader managed-file-transfer tool. Cierant first detected the intrusion on December 10, 2024, but did not begin individual notification for nearly seven months — a gap that has become the focal allegation in multiple class actions now consolidated before Judge Kari A. Dooley in the U.S. District Court for the District of Connecticut.

The Cleo VLTrader campaign (CVE-2024-50623 and CVE-2024-55956) was publicly claimed by the Clop ransomware group, which has a documented history of mass-exploiting managed-file-transfer software vulnerabilities — including the 2023 MOVEit attack. Cierant has not independently confirmed the attribution, but the BlackFog July 2025 ransomware report lists Cierant specifically under Clop’s campaign activity. Clop has claimed to have posted victim data to its Tor-hosted leak site; Cierant’s own notice states there is “no indication that this information has been or will be misused at this time.”

What happened

Cierant operates as a HIPAA business associate for health insurers. Its core function is high-volume member mailing: it receives files from health plans containing member data, merges them with letter templates, and prints and mails the finished documents. Because Cierant touches the data of every plan member who receives mail communications, an intrusion into its file-transfer infrastructure exposes members across all of its health-plan clients simultaneously.

On December 10, 2024, Cierant discovered suspicious activity on its systems and identified the Cleo VLTrader vulnerability. The company immediately ceased use of the tool, rotated passwords, and engaged an outside cybersecurity team to investigate. It also reported the incident to federal law enforcement. The forensic review concluded on June 26, 2025, when Cierant confirmed that specific files containing member information had potentially been acquired without authorization. Critically, the investigation found that the compromised files did not include Social Security numbers or financial account data — a fact Cierant has stated explicitly in its notice letters and the Montana AG filing corroborates.

Blue Cross and Blue Shield of Massachusetts has publicly confirmed that 4,855 of its members are among those affected and filed its own notification with the Maine Attorney General. State AG filings identify at least 1,576 Texas residents, 902 Washington state residents, 373 Rhode Island residents, and 84 Montana residents among those notified. The full universe of health-plan clients whose members were affected has not been publicly enumerated.

What was stolen

Per Cierant’s official notice of data incident and the state AG filing letters:

  • Full name
  • Address
  • Date of birth
  • Treatment-related dates
  • Generic descriptions of services received
  • Provider names
  • Medical record numbers
  • Health plan beneficiary numbers
  • Claims numbers
  • Plan member account numbers
  • Premium information

Not included: Social Security numbers and financial account numbers. Cierant’s notice letters state this explicitly, and the Montana AG filing repeats it verbatim. Plaintiff firm characterizations listing SSNs should be read with caution — the Federman & Sherwood investigation page references SSNs, but that language appears to reflect the firm’s initial allegations rather than Cierant’s confirmed disclosure.

Cierant also issued a separate notice letter for affected minors (children covered under a parent’s health plan). If your child received services through an affected health plan, the same PHI categories above may apply to their records.

What Cierant is offering

Cierant is offering 12 months of complimentary credit monitoring through Epiq / Privacy Solutions ID. The monitoring package includes:

  • Credit monitoring via Equifax with alerts for new accounts, inquiries, and public records
  • One-Bureau VantageScore and Credit Report access (annual)
  • SSN monitoring (high-risk transaction alerts, real-time authentication and inquiry alerts)
  • $1 million identity theft insurance ($0 deductible; underwritten by AIG subsidiaries)
  • ID Restoration services
  • Dark web monitoring

Enrollment: Visit www.privacysolutionsid.com and click “Activate Account.” Enter the activation code from your notification letter. The enrollment deadline was September 30, 2025. If you have not yet enrolled and that deadline has passed, contact the monitoring support line at 866-675-2006 to ask about any grace period.

Cierant’s dedicated breach hotline for general questions: 877-841-3066, Monday through Friday, 9:00 AM to 9:00 PM ET.

Class actions

At least five individual class actions were filed in the District of Connecticut during the summer of 2025. In September 2025, Judge Kari A. Dooley consolidated them into a single proceeding. The named cases include:

  • Shields v. Cierant Corporation
  • Credle v. Cierant Corporation
  • Verriere v. Cierant Corporation and Blue Cross Blue Shield of Massachusetts
  • Gifford v. Cierant Corporation
  • Almaz v. Cierant Corporation

All complaints allege negligence, failure to implement reasonable data security, and untimely notification given the roughly seven-month gap between the December 10, 2024 detection and the July 3, 2025 disclosure. Plaintiffs also allege that Cierant failed to apply available patches for Cleo VLTrader promptly. Investigating firms include Schubert Jonckheer & Kolbe LLP, Levi & Korsinsky LLP, and Federman & Sherwood.

If you received a notification letter and intend to participate in the consolidated litigation, preserve that letter as documentation.

What to do

  1. Enroll in the offered monitoring — or check your status. The Privacy Solutions ID enrollment deadline was September 30, 2025. If you have not enrolled, call 866-675-2006. If you have enrolled, verify your SSN monitoring alerts are active.

  2. Place credit freezes at all three bureaus. Equifax, Experian, and TransUnion each allow a free freeze. A freeze is stronger than a fraud alert: it prevents new accounts from being opened without your explicit unfreeze. Do this even if you enrolled in monitoring.

  3. If a minor’s data was involved, freeze your child’s credit separately. Synthetic identity theft against children’s SSNs can go undetected for years. Each bureau has a process for freezing a minor’s file — you will need to submit documentation as the parent or guardian.

  4. Watch your Explanation of Benefits statements. The exposed fields — provider names, service descriptions, medical record numbers, claims numbers — are precisely what a sophisticated impersonator would use to file fraudulent medical billing claims in your name. Review every EOB from your health plan.

  5. Be alert for targeted phishing. Your health plan name, beneficiary number, and plan account number were potentially exposed. Do not click links in emails or texts referencing your insurer or Cierant. Call your insurer directly using the number on your insurance card.

  6. Preserve your notification letter if you plan to join the consolidated class action in the District of Connecticut.

  7. Stop the ongoing flow of your health insurance data. HealthConsent files HIPAA restriction requests so the claims, benefits, and plan membership data exposed in this breach is not continuously re-shared among health plans, clearinghouses, and their vendors.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.