Active breach tracker Atlanta, Georgia Disclosed June 13, 2025

Decisely Insurance Services Data Breach 2025: 537,603 Affected · Hacking at Cloud/Network Server · Georgia Business Associate

Decisely Insurance Services, a Georgia-based employee-benefits broker and HR services firm, filed a HIPAA breach with HHS OCR on June 13, 2025 covering 537,603 individuals after an unauthorized actor accessed its cloud storage on Dec 16, 2024. Exposed data spans SSNs, DOBs, passports, financial accounts, and PHI.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Dec 16, 2024

Unauthorized actor accessed and acquired data from Decisely's cloud storage platform

Dec 17, 2024

Decisely detected suspicious activity on its cloud storage platform and engaged outside cybersecurity experts

May 29, 2025

Decisely confirmed to affected individuals that the incident may have involved personal information linked to its MetLife partnership

Jun 13, 2025

Decisely filed the breach with HHS OCR (537,603 individuals) and began mailing notification letters; Vermont AG notified (65,405 residents)

Jun 13, 2025

Disclosed publicly

Jun 23, 2025

Garcia v. Decisely Insurance Services, LLC filed in N.D. Georgia (1:25-cv-03466)

Jun 25, 2025

Lynch Carpenter LLP publicly announced an investigation into the breach

Jul 15, 2025

Court consolidated Smith, Garcia, and Morris cases into lead case No. 1:25-CV-03461-ELR (N.D. Ga.), granted unopposed; interim class counsel appointed

Sep 30, 2025

Supplemental electronic notifications issued to additional affected individuals per Maine AG filing

Oct 10, 2025

Edelson Lechtzin LLP publicly announced a class-action investigation

Jan 8, 2026

New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) issued a public advisory on the Decisely breach

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number Passport number

02

Health records

Don't expire and can't be reissued

Diagnosis or condition information Treatment information

03

Contact & insurance

Phishing + targeted scams

First and last name Address Digital signature Financial account information Health insurance information Claims information Patient ID Provider name

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Federman & Sherwood (investigating) Edelson Lechtzin LLP (investigating) Migliaccio & Rathod LLP (investigating) Strauss Borrelli PLLC (investigating) Cole & Van Note (investigating) Pittman, Dutton, Hellums, Bradley & Mann, P.C. (investigating) Murphy Law Firm (investigating) Lynch Carpenter LLP (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Decisely Insurance Services, LLC — an Alpharetta, Georgia-based employee-benefits brokerage and HR-services firm that handles enrollment, payroll, and benefits administration for small-business clients — disclosed a HIPAA breach affecting 537,603 individuals to the U.S. Department of Health and Human Services Office for Civil Rights on June 13, 2025. Because Decisely processes protected health information on behalf of employer health plans and insurers, the incident is recorded on the OCR portal as a Business Associate breach categorized as a Hacking/IT Incident at a Network Server. According to Decisely’s own substitute notice and California AG filings, the underlying intrusion occurred between December 15 and 17, 2024, when an unauthorized actor accessed and exfiltrated files from Decisely’s cloud storage platform. The company confirmed on May 29, 2025 that the incident involved personal information linked to its partnership with MetLife, among other covered-entity clients. Decisely’s breach response counsel of record, per the Maine AG filing, is Constangy Brooks Smith & Prophete LLP.

Timeline

  • December 15-17, 2024 — An unauthorized third party accessed and exfiltrated data from Decisely’s cloud storage platform (date range per California AG filing).
  • December 17, 2024 — Decisely detected suspicious activity, engaged external cybersecurity experts, and began an internal investigation.
  • June 13, 2025 — Decisely reported the breach to HHS OCR and began mailing individual notification letters. Early state-level filings (Vermont AG, California AG) listed lower totals; the count was updated upward as the investigation continued.
  • September 30, 2025 — Supplemental electronic notifications were issued to additional affected individuals, per the Maine AG filing (113,984 total at that stage).
  • October 10, 2025 — Edelson Lechtzin LLP publicly announced a class-action investigation; multiple other plaintiff firms opened parallel investigations.
  • January 8, 2026 — The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) issued a public advisory on the Decisely breach, recommending affected individuals review guidance on compromised PII and identity theft.

The 537,603 figure on the HHS OCR portal is the consolidated total after multiple supplemental notifications. State AG offices across at least 14 states received filings: Texas (59,740 residents), Vermont (65,405), Maine (113,984), New Hampshire (2,255), Washington (2,861), Massachusetts (682), Montana (284), California, Iowa, Nebraska, Oregon, Rhode Island, and South Carolina.

What was exposed

Per Decisely’s substitute notice and state attorney-general filings, the data acquired varies by individual and may include any combination of:

  • Full name and home address
  • Date of birth
  • Social Security number
  • Driver’s license number
  • Passport number
  • Digital signature
  • Financial account information
  • Health insurance information, claims information, and patient ID
  • Diagnosis or condition information, treatment information, and provider name

The combination of Social Security number, financial account information, and health/claims data places this incident at the high end of the identity-theft and medical-identity-theft risk spectrum.

Who’s notifying you (business associate)

Decisely is a business associate under HIPAA. It does not provide medical care directly. It administers benefits and processes claims on behalf of employer-sponsored health plans, insurance carriers (the substitute notice references its relationship with MetLife, employers, and benefit-plan providers), and other covered entities. That means your individual notification letter may arrive from Decisely directly, or it may arrive from the employer or health plan whose data Decisely was handling. Either way, the underlying incident is the same one filed with HHS OCR on June 13, 2025.

Decisely is offering complimentary Kroll identity-monitoring and managed identity-theft recovery services to individuals whose Social Security numbers were involved. A dedicated call center is listed in the notice at 866-461-3640 (8:00 a.m.–5:30 p.m. Central).

Class-action posture

Multiple federal class-action complaints were filed in the U.S. District Court for the Northern District of Georgia. The court subsequently consolidated the first three actions into a single lead case:

  • Smith v. Decisely Insurance Services, LLC — 1:25-CV-03461-ELR (lead case)
  • Garcia v. Decisely Insurance Services, LLC — 1:25-CV-03466-ELR (consolidated into Smith)
  • Morris v. Decisely Insurance Services, LLC — 1:25-CV-03489-ELR (consolidated into Smith)
  • Warren v. Decisely Insurance Services, LLC — 1:25-cv-04295 (N.D. Ga., status pending)

Per court records, the consolidation motion was granted unopposed, with Smith as the lead case and interim class counsel appointed. The Related Actions were administratively closed; all further filings proceed under No. 1:25-CV-03461-ELR. Additional plaintiff firms continue to investigate: Federman & Sherwood, Edelson Lechtzin LLP, Migliaccio & Rathod LLP, Strauss Borrelli PLLC, Cole & Van Note, Pittman Dutton Hellums Bradley & Mann, Murphy Law Firm, and Lynch Carpenter LLP.

What to do

  • Freeze your credit with all three nationwide consumer reporting agencies. This is the single highest-leverage step against new-account identity theft and remains free.
  • Enroll in the Kroll monitoring Decisely is offering if your notification letter includes an activation code. It is paid for by Decisely and does not require waiving any legal rights.
  • Watch your health-insurance EOBs and provider statements for unfamiliar claims. Medical-identity theft does not show up on a credit report.
  • If your passport number was involved, you can request a replacement passport through the State Department; passport-number misuse is harder to monitor than SSN misuse.
  • Keep the notification letter. With four federal class-action complaints already on file, the letter is your proof of standing to participate in any eventual recovery.
  • Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests so the health insurance, claims, and diagnosis information exposed in this breach is not continuously re-shared across employer benefit platforms, clearinghouses, and downstream insurers.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.