Coalesce, LLC dba BenefitElect Data Breach 2025: 501 PHI Records Exposed After CrushFTP Zero-Day; KillSec Ransomware Group Claims Theft
BenefitElect, an Arizona-based benefits-administration vendor (HIPAA business associate), filed a HIPAA breach notification with HHS OCR on October 15, 2025 after an unauthorized actor exploited a CrushFTP vulnerability (CVE-2025-31161) to access and exfiltrate files containing names, Social Security numbers, dates of birth, addresses, and financial account information.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Mar 30, 2025
Unauthorized actor exploits a CrushFTP vulnerability (CVE-2025-31161) and begins accessing BenefitElect files
Apr 2, 2025
BenefitElect detects suspicious activity on its systems and engages external cybersecurity specialists
Oct 15, 2025
BenefitElect files HIPAA breach notification with HHS OCR (501 individuals, Hacking/IT Incident, Network Server) and issues public notice of data event
Oct 15, 2025
Sample individual notification letter submitted to the California Attorney General; state AG filings made in CA, MA, OR, and NH
Oct 16, 2025
Plaintiffs' firms (Federman & Sherwood, Strauss Borrelli, SLFLA, Maxey) publicly open class-action investigations
Mar 30, 2025
Unauthorized actor exploits a CrushFTP vulnerability (CVE-2025-31161) and begins accessing BenefitElect files
Apr 2, 2025
BenefitElect detects suspicious activity on its systems and engages external cybersecurity specialists
Oct 15, 2025
BenefitElect files HIPAA breach notification with HHS OCR (501 individuals, Hacking/IT Incident, Network Server) and issues public notice of data event
Oct 15, 2025
Sample individual notification letter submitted to the California Attorney General; state AG filings made in CA, MA, OR, and NH
Oct 16, 2025
Plaintiffs' firms (Federman & Sherwood, Strauss Borrelli, SLFLA, Maxey) publicly open class-action investigations
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Arizona-based benefits-administration and HR-software vendor Coalesce, LLC dba BenefitElect disclosed on October 15, 2025 that an unauthorized actor exploited a vulnerability in CrushFTP managed-file-transfer software to access and exfiltrate files from its environment between March 30 and March 31, 2025. BenefitElect detected suspicious activity on April 2, 2025 and engaged external cybersecurity specialists. The HHS Office for Civil Rights breach portal currently reflects 501 individuals under the company’s HIPAA Business Associate filing, recorded as a Hacking/IT Incident at a Network Server. The ransomware-and-extortion group KillSec (also tracked as Kill Security) claimed responsibility on its dark-web leak site and indicated it intended to publish stolen data. The HHS OCR count covers only the HIPAA-covered subset of affected individuals; total notification volume reported to state regulators is broader, and BenefitElect’s review of all affected files remains ongoing.
Timeline of what we know
- March 30 to March 31, 2025 — An unauthorized actor exploits a CrushFTP authentication-bypass vulnerability (later tracked as CVE-2025-31161) and accesses files in BenefitElect’s environment.
- April 2, 2025 — BenefitElect detects suspicious activity, secures its systems, and engages external cybersecurity specialists to investigate.
- April through October 2025 — Forensic review and data analysis determine which files were affected and which individuals had sensitive information involved. Mailing addresses are validated for notification.
- October 15, 2025 — BenefitElect files its HIPAA breach report with HHS OCR (501 individuals, Hacking/IT Incident, Network Server, Business Associate). The same day the company issues a public notice of data event via PR Newswire and submits sample notification letters to the attorneys general of California, Massachusetts, Oregon, and New Hampshire.
- October 16, 2025 — Plaintiffs’ firms publicly announce class-action investigations of Coalesce, LLC dba BenefitElect.
What was exposed
Per BenefitElect’s official security-incident notice, its press release, and the sample notification letter filed with the California Attorney General, the files accessed during the intrusion may have contained any of the following, depending on the individual:
- Full name
- Home address
- Date of birth
- Social Security number
- Financial account information
- Other benefits eligibility and onboarding census information
BenefitElect has stated that not every data element was present for every affected individual, and the specific elements involved are listed on each person’s individual notification letter.
What BenefitElect is offering
BenefitElect is offering affected individuals complimentary credit monitoring and identity-theft protection services through IDX. Enrollment instructions and a unique activation code are included in the individual notification letters. The company has also stood up a dedicated assistance line at 1-833-353-5633, available Monday through Friday, 9 a.m. to 9 p.m. Eastern time, and is directing affected individuals to contact Equifax, Experian, and TransUnion to place fraud alerts or credit freezes.
Class-action and regulatory posture
By mid-October 2025, multiple plaintiffs’ firms — including Federman & Sherwood, Strauss Borrelli PLLC, the Srourian Law Firm (SLFLA), and Maxey Law Firm — had publicly opened investigations into the breach and were signing up potential class members. As of this writing no consolidated class-action complaint against Coalesce, LLC dba BenefitElect has been publicly docketed in federal court; the investigations are pre-suit. The HHS Office for Civil Rights investigation remains open. State attorney general filings have been submitted in California (reference SB24-612847), Massachusetts, Oregon, and New Hampshire.
The CrushFTP vulnerability at the heart of this incident (CVE-2025-31161) was an authentication-bypass flaw disclosed by researchers at Outpost24 in March 2025 and added to CISA’s Known Exploited Vulnerabilities catalog shortly thereafter. KillSec was the first ransomware group to publicly claim exploitation of the bug; the same vulnerability has been linked to attacks on multiple other organizations during the same window.
What to do if you may be affected
Sensitive identifiers including Social Security numbers and financial-account information were exposed. Treat this as a high-severity exposure and stack defenses:
- Freeze your credit at all three bureaus — Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online, and blocks new account fraud cold. This is the single highest-leverage step when SSNs are in play.
- Enroll in the IDX credit monitoring BenefitElect is offering when your notification letter arrives. Use the activation code printed on the letter to register before the enrollment deadline.
- Watch your bank and brokerage accounts. Financial account information was among the data exposed. Turn on transaction alerts, review statements line by line for the next several months, and report anything unfamiliar immediately.
- File IRS Form 14039 (Identity Theft Affidavit) if you see a rejected tax return or suspicious IRS correspondence. With SSNs in the wild, tax-refund fraud is a leading follow-on attack pattern.
- Request an Identity Protection PIN (IP PIN) from the IRS at irs.gov/ippin. It is free and prevents fraudulent filings under your SSN.
- Be skeptical of phone, text, and email outreach claiming to be from BenefitElect or your employer’s benefits team. Threat actors routinely follow large breaches with targeted phishing that references real benefits or census data. BenefitElect will not ask for your full SSN, bank login, or one-time codes by phone to “verify” your enrollment.
- Keep the notification letter. It documents the specific data elements involved for your record, which can matter if you later need to file a claim, dispute fraudulent charges, or join a class action.
Sources
- HHS Office for Civil Rights Breach Portal
- BenefitElect — official “Security Incident” notice
- Coalesce, LLC dba BenefitElect — Notice of Data Event (PR Newswire / Fox4KC, October 15, 2025)
- California Attorney General — Submitted Breach Notification Sample (Coalesce/Benefitelect, ref. SB24-612847)
- California Attorney General — Coalesce, LLC dba Benefitelect Notice of Data Event (consumer letter PDF)
- Federman & Sherwood — Coalesce, LLC dba Benefitelect Data Breach (investigation)
- Strauss Borrelli PLLC — BenefitElect Data Breach Investigation
- Kennedys Law — CrushFTP being exploited in widespread cyber attack
- The Record (Recorded Future News) — CISA warns of CrushFTP attacks as ransomware gang makes threats
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- BenefitElect — official 'Security Incident' notice
- Coalesce, LLC dba BenefitElect — Notice of Data Event (PR Newswire / Fox4KC, October 15, 2025)
- California Attorney General — Submitted Breach Notification Sample (Coalesce/Benefitelect, ref. SB24-612847)
- California Attorney General — Coalesce, LLC dba Benefitelect Notice of Data Event (consumer letter PDF)
- Federman & Sherwood — Coalesce, LLC dba Benefitelect Data Breach (investigation)
- Strauss Borrelli PLLC — BenefitElect Data Breach Investigation (October 16, 2025)
- Kennedys Law — Vulnerability crush: organisations are being exploited via CrushFTP in widespread cyber attack
- The Record (Recorded Future News) — CISA, experts warn of CrushFTP file-transfer attacks as ransomware gang makes threats
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.