Insurance ACE/Humana Data Breach 2026: 1,000 Members Exposed via Outside Counsel Pillsbury. Class Action Filed. What To Do
Humana Inc.'s 'Insurance ACE' (Affiliated Covered Entity — the umbrella of Humana's insurance subsidiaries) filed an HHS OCR breach for 1,000 individuals in February 2026. A separate but contemporaneous incident saw Humana's outside counsel, law firm Pillsbury Winthrop Shaw Pittman, compromised in a February 27, 2026 social-engineering attack exposing 2,104+ Texas-resident PHI records from litigation discovery files. Names, Social Security numbers, health insurance, and medical information exposed. Class action filed in W.D. Kentucky. What To Do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Feb 27, 2026
Social-engineering compromise of Humana outside counsel Pillsbury Winthrop Shaw Pittman; litigation discovery files exfiltrated
Feb 27, 2026
Breach detected
Feb 28, 2026
HHS OCR filing by Insurance ACE/Humana (interim count: 1,000)
Mar 6, 2026
Texas AG report
Apr 22, 2026
Individual notification letters mailed
Apr 24, 2026
Texas AG: 2,104 Texas residents notified
Apr 30, 2026
Idaho AG filing
May 1, 2026
Norris v. Humana class action filed in W.D. Kentucky
Feb 27, 2026
Social-engineering compromise of Humana outside counsel Pillsbury Winthrop Shaw Pittman; litigation discovery files exfiltrated
Feb 27, 2026
Breach detected
Feb 28, 2026
HHS OCR filing by Insurance ACE/Humana (interim count: 1,000)
Mar 6, 2026
Texas AG report
Apr 22, 2026
Individual notification letters mailed
Apr 24, 2026
Texas AG: 2,104 Texas residents notified
Apr 30, 2026
Idaho AG filing
May 1, 2026
Norris v. Humana class action filed in W.D. Kentucky
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What is “Insurance ACE”?
“Insurance ACE” is not an agency or third-party. ACE = Affiliated Covered Entity, a HIPAA designation under 45 CFR 164.105(b) that allows legally separate covered entities under common ownership to operate as a single covered entity for HIPAA compliance.
Humana’s “Insurance ACE” is the umbrella of Humana’s insurance subsidiaries — Humana Insurance Co., Humana Health Plan Inc., Humana Benefit Plan of Illinois, CompBenefits, and others — designated as a single HIPAA covered entity. The filer of this OCR report is Humana Inc., headquartered in Louisville, Kentucky.
Humana is a Fortune 500 health insurance company with approximately 22 million medical members and a major Medicare Advantage business.
What happened
On February 27, 2026, a threat actor used social engineering to compromise Pillsbury Winthrop Shaw Pittman LLP — Humana’s outside counsel. The attacker exfiltrated litigation discovery files containing Humana member PHI (names, Social Security numbers, health insurance information, “other medical information”).
Insurance ACE / Humana filed an HHS OCR breach report on February 28, 2026 for 1,000 individuals (likely a placeholder / preliminary count). The Texas AG report on March 6, 2026 indicated 2,104 Texas residents notified — the final count is materially higher than the initial OCR filing.
Notice letters were mailed approximately April 22, 2026. The Norris v. Humana Inc. class action was filed in the Western District of Kentucky on May 1, 2026.
What was stolen
Per Pillsbury notification (applicable to Humana members):
- Full name
- Social Security number
- Health insurance information
- “Other medical information” from litigation discovery files
The “litigation discovery files” context is unusual — these are records that had been compiled for defense of specific lawsuits, which may include disability claims documentation, medical history relevant to coverage disputes, and other PHI that was being processed for active legal proceedings.
What Humana is offering
Per Dapeer Law’s summary of the notification letter, Humana’s notice does NOT reference complimentary credit or identity monitoring. This omission is unusual and is a focal point of the Norris v. Humana class action.
Class actions
- Norris v. Humana Inc., et al., Case No. 3:26-cv-00167-RGJ, U.S. District Court Western District of Kentucky
- Filed against Humana Inc. + CenterWell Certified Healthcare Corp.
- Plaintiff: Colette Norris
- Plaintiffs counsel: John C. Whitfield (Whitfield Crosby & Flynn PLLC) and Mariya Weekes (Milberg PLLC)
- Claims: negligence, breach of implied contract, unjust enrichment; alleges failure to encrypt and redact
Additional investigations: Edelson Lechtzin LLP (April 20, 2026), Dapeer Law, Srourian Law Firm.
State AG filings
- Texas AG: 2,104 residents (April 24, 2026)
- Idaho AG: filing on or around April 30, 2026
- Kentucky AG, California AG, Maine AG, Massachusetts AG: not located in public sources
What to do
- Read your specific notification letter to confirm whether your PHI was in the affected litigation files.
- Place free credit freezes at Equifax, Experian, TransUnion. Full SSN is in scope.
- File IRS Form 14039.
- Demand credit monitoring directly from Humana — the absence of an offer is unusual and class plaintiffs allege it is actionable.
- Consider joining the Norris v. Humana class action if you receive a notification letter.
- Watch your insurance Explanation of Benefits for unfamiliar claims.
- Stop the ongoing flow of your insurance member data through outside law firms. HealthConsent files HIPAA restriction requests covering health insurance business associate pathways including outside-counsel relationships.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Srourian Law Firm: Insurance ACE / Humana Data Breach Alert
- Dapeer Law: Humana Data Breach Investigation
- Top Class Actions: Humana March 2026 Class Action
- ClassAction.org: Humana News Category
- GlobeNewswire: Edelson Lechtzin Humana Investigation
- Humana Healthcare Data Breaches Page
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.