Active breach tracker Louisville, KY HQ Disclosed February 28, 2026

Insurance ACE/Humana Data Breach 2026: 1,000 Members Exposed via Outside Counsel Pillsbury. Class Action Filed. What To Do

Humana Inc.'s 'Insurance ACE' (Affiliated Covered Entity — the umbrella of Humana's insurance subsidiaries) filed an HHS OCR breach for 1,000 individuals in February 2026. A separate but contemporaneous incident saw Humana's outside counsel, law firm Pillsbury Winthrop Shaw Pittman, compromised in a February 27, 2026 social-engineering attack exposing 2,104+ Texas-resident PHI records from litigation discovery files. Names, Social Security numbers, health insurance, and medical information exposed. Class action filed in W.D. Kentucky. What To Do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Feb 27, 2026

Social-engineering compromise of Humana outside counsel Pillsbury Winthrop Shaw Pittman; litigation discovery files exfiltrated

Feb 27, 2026

Breach detected

Feb 28, 2026

HHS OCR filing by Insurance ACE/Humana (interim count: 1,000)

Mar 6, 2026

Texas AG report

Apr 22, 2026

Individual notification letters mailed

Apr 24, 2026

Texas AG: 2,104 Texas residents notified

Apr 30, 2026

Idaho AG filing

May 1, 2026

Norris v. Humana class action filed in W.D. Kentucky

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security number

03

Contact & insurance

Phishing + targeted scams

Full name Health insurance information Medical information (from litigation discovery files at outside counsel Pillsbury Winthrop Shaw Pittman per separate parallel notification)

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Norris v. Humana Inc. et al., 3:26-cv-00167-RGJ (W.D. Kentucky); plaintiffs counsel John C. Whitfield (Whitfield Crosby & Flynn PLLC) + Mariya Weekes (Milberg PLLC) Edelson Lechtzin LLP (publicly investigating) Dapeer Law (publicly investigating) Srourian Law Firm SLFLA (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What is “Insurance ACE”?

“Insurance ACE” is not an agency or third-party. ACE = Affiliated Covered Entity, a HIPAA designation under 45 CFR 164.105(b) that allows legally separate covered entities under common ownership to operate as a single covered entity for HIPAA compliance.

Humana’s “Insurance ACE” is the umbrella of Humana’s insurance subsidiaries — Humana Insurance Co., Humana Health Plan Inc., Humana Benefit Plan of Illinois, CompBenefits, and others — designated as a single HIPAA covered entity. The filer of this OCR report is Humana Inc., headquartered in Louisville, Kentucky.

Humana is a Fortune 500 health insurance company with approximately 22 million medical members and a major Medicare Advantage business.

What happened

On February 27, 2026, a threat actor used social engineering to compromise Pillsbury Winthrop Shaw Pittman LLP — Humana’s outside counsel. The attacker exfiltrated litigation discovery files containing Humana member PHI (names, Social Security numbers, health insurance information, “other medical information”).

Insurance ACE / Humana filed an HHS OCR breach report on February 28, 2026 for 1,000 individuals (likely a placeholder / preliminary count). The Texas AG report on March 6, 2026 indicated 2,104 Texas residents notified — the final count is materially higher than the initial OCR filing.

Notice letters were mailed approximately April 22, 2026. The Norris v. Humana Inc. class action was filed in the Western District of Kentucky on May 1, 2026.

What was stolen

Per Pillsbury notification (applicable to Humana members):

  • Full name
  • Social Security number
  • Health insurance information
  • “Other medical information” from litigation discovery files

The “litigation discovery files” context is unusual — these are records that had been compiled for defense of specific lawsuits, which may include disability claims documentation, medical history relevant to coverage disputes, and other PHI that was being processed for active legal proceedings.

What Humana is offering

Per Dapeer Law’s summary of the notification letter, Humana’s notice does NOT reference complimentary credit or identity monitoring. This omission is unusual and is a focal point of the Norris v. Humana class action.

Class actions

  • Norris v. Humana Inc., et al., Case No. 3:26-cv-00167-RGJ, U.S. District Court Western District of Kentucky
  • Filed against Humana Inc. + CenterWell Certified Healthcare Corp.
  • Plaintiff: Colette Norris
  • Plaintiffs counsel: John C. Whitfield (Whitfield Crosby & Flynn PLLC) and Mariya Weekes (Milberg PLLC)
  • Claims: negligence, breach of implied contract, unjust enrichment; alleges failure to encrypt and redact

Additional investigations: Edelson Lechtzin LLP (April 20, 2026), Dapeer Law, Srourian Law Firm.

State AG filings

  • Texas AG: 2,104 residents (April 24, 2026)
  • Idaho AG: filing on or around April 30, 2026
  • Kentucky AG, California AG, Maine AG, Massachusetts AG: not located in public sources

What to do

  1. Read your specific notification letter to confirm whether your PHI was in the affected litigation files.
  2. Place free credit freezes at Equifax, Experian, TransUnion. Full SSN is in scope.
  3. File IRS Form 14039.
  4. Demand credit monitoring directly from Humana — the absence of an offer is unusual and class plaintiffs allege it is actionable.
  5. Consider joining the Norris v. Humana class action if you receive a notification letter.
  6. Watch your insurance Explanation of Benefits for unfamiliar claims.
  7. Stop the ongoing flow of your insurance member data through outside law firms. HealthConsent files HIPAA restriction requests covering health insurance business associate pathways including outside-counsel relationships.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.