Decisely Insurance Services Data Breach 2025: 537,603 Affected · Hacking at Cloud/Network Server · Georgia Business Associate
Decisely Insurance Services, a Georgia-based employee-benefits broker and HR services firm, filed a HIPAA breach with HHS OCR on June 13, 2025 covering 537,603 individuals after an unauthorized actor accessed its cloud storage on Dec 16, 2024. Exposed data spans SSNs, DOBs, passports, financial accounts, and PHI.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 16, 2024
Unauthorized actor accessed and acquired data from Decisely's cloud storage platform
Dec 17, 2024
Decisely detected suspicious activity on its cloud storage platform and engaged outside cybersecurity experts
May 29, 2025
Decisely confirmed to affected individuals that the incident may have involved personal information linked to its MetLife partnership
Jun 13, 2025
Decisely filed the breach with HHS OCR (537,603 individuals) and began mailing notification letters; Vermont AG notified (65,405 residents)
Jun 13, 2025
Disclosed publicly
Jun 23, 2025
Garcia v. Decisely Insurance Services, LLC filed in N.D. Georgia (1:25-cv-03466)
Jun 25, 2025
Lynch Carpenter LLP publicly announced an investigation into the breach
Jul 15, 2025
Court consolidated Smith, Garcia, and Morris cases into lead case No. 1:25-CV-03461-ELR (N.D. Ga.), granted unopposed; interim class counsel appointed
Sep 30, 2025
Supplemental electronic notifications issued to additional affected individuals per Maine AG filing
Oct 10, 2025
Edelson Lechtzin LLP publicly announced a class-action investigation
Jan 8, 2026
New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) issued a public advisory on the Decisely breach
Dec 16, 2024
Unauthorized actor accessed and acquired data from Decisely's cloud storage platform
Dec 17, 2024
Decisely detected suspicious activity on its cloud storage platform and engaged outside cybersecurity experts
May 29, 2025
Decisely confirmed to affected individuals that the incident may have involved personal information linked to its MetLife partnership
Jun 13, 2025
Decisely filed the breach with HHS OCR (537,603 individuals) and began mailing notification letters; Vermont AG notified (65,405 residents)
Jun 13, 2025
Disclosed publicly
Jun 23, 2025
Garcia v. Decisely Insurance Services, LLC filed in N.D. Georgia (1:25-cv-03466)
Jun 25, 2025
Lynch Carpenter LLP publicly announced an investigation into the breach
Jul 15, 2025
Court consolidated Smith, Garcia, and Morris cases into lead case No. 1:25-CV-03461-ELR (N.D. Ga.), granted unopposed; interim class counsel appointed
Sep 30, 2025
Supplemental electronic notifications issued to additional affected individuals per Maine AG filing
Oct 10, 2025
Edelson Lechtzin LLP publicly announced a class-action investigation
Jan 8, 2026
New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) issued a public advisory on the Decisely breach
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Decisely Insurance Services, LLC — an Alpharetta, Georgia-based employee-benefits brokerage and HR-services firm that handles enrollment, payroll, and benefits administration for small-business clients — disclosed a HIPAA breach affecting 537,603 individuals to the U.S. Department of Health and Human Services Office for Civil Rights on June 13, 2025. Because Decisely processes protected health information on behalf of employer health plans and insurers, the incident is recorded on the OCR portal as a Business Associate breach categorized as a Hacking/IT Incident at a Network Server. According to Decisely’s own substitute notice and California AG filings, the underlying intrusion occurred between December 15 and 17, 2024, when an unauthorized actor accessed and exfiltrated files from Decisely’s cloud storage platform. The company confirmed on May 29, 2025 that the incident involved personal information linked to its partnership with MetLife, among other covered-entity clients. Decisely’s breach response counsel of record, per the Maine AG filing, is Constangy Brooks Smith & Prophete LLP.
Timeline
- December 15-17, 2024 — An unauthorized third party accessed and exfiltrated data from Decisely’s cloud storage platform (date range per California AG filing).
- December 17, 2024 — Decisely detected suspicious activity, engaged external cybersecurity experts, and began an internal investigation.
- June 13, 2025 — Decisely reported the breach to HHS OCR and began mailing individual notification letters. Early state-level filings (Vermont AG, California AG) listed lower totals; the count was updated upward as the investigation continued.
- September 30, 2025 — Supplemental electronic notifications were issued to additional affected individuals, per the Maine AG filing (113,984 total at that stage).
- October 10, 2025 — Edelson Lechtzin LLP publicly announced a class-action investigation; multiple other plaintiff firms opened parallel investigations.
- January 8, 2026 — The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) issued a public advisory on the Decisely breach, recommending affected individuals review guidance on compromised PII and identity theft.
The 537,603 figure on the HHS OCR portal is the consolidated total after multiple supplemental notifications. State AG offices across at least 14 states received filings: Texas (59,740 residents), Vermont (65,405), Maine (113,984), New Hampshire (2,255), Washington (2,861), Massachusetts (682), Montana (284), California, Iowa, Nebraska, Oregon, Rhode Island, and South Carolina.
What was exposed
Per Decisely’s substitute notice and state attorney-general filings, the data acquired varies by individual and may include any combination of:
- Full name and home address
- Date of birth
- Social Security number
- Driver’s license number
- Passport number
- Digital signature
- Financial account information
- Health insurance information, claims information, and patient ID
- Diagnosis or condition information, treatment information, and provider name
The combination of Social Security number, financial account information, and health/claims data places this incident at the high end of the identity-theft and medical-identity-theft risk spectrum.
Who’s notifying you (business associate)
Decisely is a business associate under HIPAA. It does not provide medical care directly. It administers benefits and processes claims on behalf of employer-sponsored health plans, insurance carriers (the substitute notice references its relationship with MetLife, employers, and benefit-plan providers), and other covered entities. That means your individual notification letter may arrive from Decisely directly, or it may arrive from the employer or health plan whose data Decisely was handling. Either way, the underlying incident is the same one filed with HHS OCR on June 13, 2025.
Decisely is offering complimentary Kroll identity-monitoring and managed identity-theft recovery services to individuals whose Social Security numbers were involved. A dedicated call center is listed in the notice at 866-461-3640 (8:00 a.m.–5:30 p.m. Central).
Class-action posture
Multiple federal class-action complaints were filed in the U.S. District Court for the Northern District of Georgia. The court subsequently consolidated the first three actions into a single lead case:
- Smith v. Decisely Insurance Services, LLC — 1:25-CV-03461-ELR (lead case)
- Garcia v. Decisely Insurance Services, LLC — 1:25-CV-03466-ELR (consolidated into Smith)
- Morris v. Decisely Insurance Services, LLC — 1:25-CV-03489-ELR (consolidated into Smith)
- Warren v. Decisely Insurance Services, LLC — 1:25-cv-04295 (N.D. Ga., status pending)
Per court records, the consolidation motion was granted unopposed, with Smith as the lead case and interim class counsel appointed. The Related Actions were administratively closed; all further filings proceed under No. 1:25-CV-03461-ELR. Additional plaintiff firms continue to investigate: Federman & Sherwood, Edelson Lechtzin LLP, Migliaccio & Rathod LLP, Strauss Borrelli PLLC, Cole & Van Note, Pittman Dutton Hellums Bradley & Mann, Murphy Law Firm, and Lynch Carpenter LLP.
What to do
- Freeze your credit with all three nationwide consumer reporting agencies. This is the single highest-leverage step against new-account identity theft and remains free.
- Enroll in the Kroll monitoring Decisely is offering if your notification letter includes an activation code. It is paid for by Decisely and does not require waiving any legal rights.
- Watch your health-insurance EOBs and provider statements for unfamiliar claims. Medical-identity theft does not show up on a credit report.
- If your passport number was involved, you can request a replacement passport through the State Department; passport-number misuse is harder to monitor than SSN misuse.
- Keep the notification letter. With four federal class-action complaints already on file, the letter is your proof of standing to participate in any eventual recovery.
- Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests so the health insurance, claims, and diagnosis information exposed in this breach is not continuously re-shared across employer benefit platforms, clearinghouses, and downstream insurers.
Sources
- Decisely — Notice of Data Security Incident (PDF) — the entity’s own substitute notice.
- HIPAA Journal — Data Breaches Announced By Decisely Insurance Services & Apex Global Solutions — trade-press coverage including the updated 537,603 count.
- Maine Attorney General — Decisely data breach notice — state regulator filing.
- Vermont Attorney General — Decisely Insurance Services data breach notice (June 13, 2025) — state regulator filing (65,405 Vermont residents).
- ClassAction.org — Decisely Insurance Services Data Breach Lawsuit Investigation — plaintiff-side investigation summary.
- CourtListener — Garcia v. Decisely Insurance Services, LLC (1:25-cv-03466, N.D. Ga.) — filed federal class-action complaint.
- Justia — Smith v. Decisely Insurance Services, LLC (1:2025cv03461, N.D. Ga.) — filed federal class-action complaint.
- GlobeNewswire — Lynch Carpenter Investigates Claims in Decisely Insurance Services Data Breach (June 25, 2025) — firm investigation announcement.
- GlobeNewswire — Edelson Lechtzin LLP investigating Decisely claims (Oct 10, 2025) — firm announcement establishing class-action posture.
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Decisely — Notice of Data Security Incident (decisely.com)
- HIPAA Journal — Data Breaches Announced By Decisely Insurance Services & Apex Global Solutions
- Maine Attorney General — Decisely Insurance Services data breach notice
- ClassAction.org — Decisely Insurance Services Data Breach Lawsuit Investigation
- GlobeNewswire — Edelson Lechtzin LLP investigating Decisely claims (Oct 10, 2025)
- Vermont Attorney General — Decisely Insurance Services data breach notice (June 13, 2025)
- CourtListener — Garcia v. Decisely Insurance Services, LLC (1:25-cv-03466, N.D. Ga.)
- Justia — Smith v. Decisely Insurance Services, LLC (1:2025cv03461, N.D. Ga.)
- GlobeNewswire — Lynch Carpenter Investigates Claims in Decisely Insurance Services Data Breach (June 25, 2025)
- HHS Office for Civil Rights Breach Portal
- UniCourt — Garcia v. Decisely Insurance Services, LLC (consolidation order)
- California Attorney General — Decisely Insurance Services breach filing (June 14, 2025)
- New Jersey NJCCIC — Decisely Insurance public advisory (January 8, 2026)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.