Active breach tracker Hunt Valley / Sparks, Maryland Disclosed April 9, 2025

Kelly Benefits Data Breach 2025: 553,332 People Exposed Through a Maryland Benefits Administrator. What Plan Members of CareFirst, Aetna, Guardian, UnitedHealthcare, Humana and 40+ Other Employers Should Do.

Kelly & Associates Insurance Group (Kelly Benefits), a Hunt Valley, Maryland benefits administration firm, suffered a December 2024 intrusion that exfiltrated names, SSNs, DOBs, tax IDs, medical information, health-insurance details and financial account data on 553,332 people. The affected population is downstream plan members of 46 employer and carrier clients. Notification letters mailed May 2, 2025; 13+ class actions consolidated in D. Md.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Dec 12, 2024

Unauthorized access to the Kelly Benefits network environment begins

Dec 17, 2024

Kelly Benefits identifies suspicious activity and engages third-party digital forensics specialists

Mar 3, 2025

File review and identification of affected individuals (matched to client/carrier) completed

Apr 9, 2025

Initial HHS OCR filing — Hacking/IT Incident at Network Server, Business Associate, 32,234 individuals (interim)

Apr 21, 2025

Affected count revised upward to 263,893

Apr 22, 2025

Gale v. Kelly & Associates Insurance Group, Inc. filed (No. 8:25-cv-01304-AAQ, D. Md.)

Apr 25, 2025

Parks v. Kelly & Associates Insurance Group, Inc. filed (No. 1:25-cv-01311, D. Md.) — Milberg LLC

May 2, 2025

Individual notification letters mailed; IDX credit monitoring and identity-theft protection offered for 12 months

May 30, 2025

Affected count revised to 413,032

Jun 3, 2025

Affected count revised to 488,139 per state AG filings

Jun 5, 2025

Vermont Attorney General notified

Jul 1, 2025

Affected count revised to 533,660 per state AG filings (HHS OCR reflects 553,332)

Oct 1, 2025

Cases consolidated as In re Kelly Benefits Data Breach Litigation, No. 1:25-cv-01304 (D. Md.), before Judge Stephanie A. Gallagher

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

03

Contact & insurance

Phishing + targeted scams

Full name Tax identification number Medical information Health insurance information Financial account information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Milberg LLC (Thomas A. Pacheco, Mariya Weekes) Federman & Sherwood Strauss Borrelli PLLC Migliaccio & Rathod LLP Markovits, Stock & DeMarco, LLC Pittman Dutton Hellums Bradley & Mann Kantrowitz, Goldhamer, Graifman, Perlmutter & Carballo, P.C. Schubert Jonckheer & Kolbe LLP The Lyon Firm Srourian Law Firm, LLP (SLFLA) (investigating) Murphy Law Firm (investigating) Edelson Lechtzin LLP (investigating) Cohen & Malad LLP (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Kelly & Associates Insurance Group, Inc., the Sparks, Maryland benefits administrator known publicly as Kelly Benefits, disclosed a hacking incident that ultimately exposed personal and health information on 553,332 individuals, almost all of whom are downstream plan members of employer and insurance-carrier clients that use Kelly Benefits to administer their benefits. The multiple federal class actions filed in response were consolidated in U.S. District Court for the District of Maryland as In re Kelly Benefits Data Breach Litigation, No. 1:25-cv-01304 (D. Md.), before Judge Stephanie A. Gallagher.

What happened

Kelly Benefits is a HIPAA business associate. Founded in 1976 as Francis X. Kelly Associates, Inc. and renamed Kelly & Associates Insurance Group, Inc. in 1998, the company employs approximately 500 people and generates an estimated $448 million in annual revenue. In 2007 it established Kelly Integral Solutions LLC as an umbrella management company covering its benefits administration, payroll, and technology lines. Employers and insurance carriers hire it to enroll members, manage benefits eligibility, process billing, and coordinate with carriers and brokers. To do that work, Kelly Benefits stores the kinds of data those plans hold: full names, Social Security numbers, dates of birth, tax IDs, medical information, health-insurance details and financial account information.

According to the company’s own disclosures and follow-on reporting, an external intruder accessed the Kelly Benefits network environment between December 12 and December 17, 2024. Kelly Benefits identified suspicious activity on December 17, 2024, and third-party digital forensics specialists confirmed that “certain files were copied and taken by the attackers.” File review to match affected individuals to client plans was completed on March 3, 2025.

Kelly Benefits filed an initial HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on April 9, 2025, reporting 32,234 affected individuals, a Hacking/IT Incident at a Network Server, with the entity’s role listed as Business Associate. The number was revised upward multiple times: to 263,893 on April 21, 2025; to 413,032 on May 30, 2025; to 488,139 on June 3, 2025; and to 533,660 per state AG filings as of July 1, 2025. The HHS OCR portal currently reflects 553,332, which is the authoritative federal figure for this incident.

Timeline

  • December 12–17, 2024 — Unauthorized access to the Kelly Benefits network environment
  • December 17, 2024 — Kelly Benefits identifies suspicious activity; engages third-party digital forensics specialists; notifies the FBI
  • March 3, 2025 — File review and identification of affected individuals completed
  • April 9, 2025 — Initial HHS OCR filing: 32,234 affected, Hacking/IT Incident at Network Server, Business Associate
  • April 21, 2025 — Affected count revised to 263,893
  • April 22, 2025Gale v. Kelly & Associates Insurance Group, Inc. filed (No. 8:25-cv-01304-AAQ), named plaintiff Carolyn Gale
  • April 25, 2025Parks v. Kelly & Associates Insurance Group, Inc. filed (No. 1:25-cv-01311), named plaintiff Brittany Parks, Milberg LLC
  • May 2, 2025 — Individual notification letters mailed; 12 months of complimentary IDX credit monitoring and identity-theft protection offered; breach reported to California and Maine AGs
  • May 30, 2025 — Affected count revised to 413,032
  • June 3, 2025 — Affected count revised to 488,139
  • June 5, 2025 — Vermont Attorney General notified
  • July 1, 2025 — Affected count revised to 533,660 (per state AG filings; HHS OCR reflects 553,332)
  • Late 2025 — Cases consolidated as In re Kelly Benefits Data Breach Litigation, No. 1:25-cv-01304 (D. Md.), before Judge Stephanie A. Gallagher

What was exposed

The data elements Kelly Benefits has confirmed in its notification letters and in state attorney general filings:

  • Full name
  • Date of birth
  • Social Security number
  • Tax identification number
  • Medical information
  • Health insurance information (insurer, member ID, claim details)
  • Financial account information

The specific combination varied by individual. Letters identified the exact data types per recipient.

Who is notifying you (and why it is your employer’s benefits administrator, not your insurer)

Kelly Benefits is a business associate under HIPAA, not the covered entity that has the direct relationship with you. The HIPAA Breach Notification Rule lets a business associate either notify affected individuals itself or delegate that duty back to the covered entity — the carrier or employer plan you actually deal with. Kelly Benefits took a hybrid path: it sent notification letters in its own name (so many recipients are receiving a letter from a company they have never heard of) while also notifying the 46 client plans and carriers whose members were involved so that those clients could communicate independently with their populations.

That is why you may have received a letter from Kelly Benefits even though your employer or insurer did the actual hiring, claims, or enrollment work.

The 46 downstream employer and carrier clients (partial public list)

Public reporting names the following downstream insurers, employer benefit plans, and other clients whose members were caught up in the Kelly Benefits intrusion. This list is partial: at least 46 entities were notified.

Insurance carriers:

  • Aetna Life Insurance Company
  • CareFirst BlueCross BlueShield
  • The Guardian Life Insurance Company of America
  • Humana Insurance ACE
  • Mutual of Omaha Insurance Company
  • OneAmerica Financial Partners
  • OptiMed Health
  • Reliance Standard Life Insurance
  • UnitedHealthcare / United Healthcare Services
  • Beam Benefits
  • Vision Benefits of America

Employer and plan clients:

  • Actalent, Inc.
  • Aerotek Inc.
  • Amergis Healthcare Staffing, Inc.
  • Beltway Companies
  • Education Affiliates
  • Fidelity Building Services Group
  • Intercon Truck of Baltimore
  • Maine School Management Association (11,596 Maine residents affected)
  • Merritt Group
  • Nutramax Laboratories
  • Publishers Circulation Fulfilment
  • Quantum Real Estate Management
  • Transforming Lives
  • University of Maryland Medical System
  • Virtua Health

If your employer, your carrier, or one of these clients shows up on your benefits paperwork — payroll deductions, ID card, claims correspondence — there is a meaningful probability that your data was in the Kelly Benefits files even if you have not yet received a letter. The Maine School Management Association alone accounted for 11,596 of the 18,820 Maine residents affected, according to News Center Maine’s coverage of the Maine AG filing.

Class-action posture

Multiple proposed federal class actions were filed against Kelly & Associates Insurance Group, Inc. in the U.S. District Court for the District of Maryland and have been consolidated into a single proceeding: In re Kelly Benefits Data Breach Litigation, No. 1:25-cv-01304 (D. Md.), assigned to Judge Stephanie A. Gallagher. The anchor case is Parks v. Kelly & Associates Insurance Group, Inc., No. 1:25-cv-01311, brought by Milberg LLC (Thomas A. Pacheco, Mariya Weekes, and Zachary Howerton) on behalf of lead plaintiff Brittany Parks. A second early-filed case, Gale v. Kelly & Associates Insurance Group, Inc., No. 8:25-cv-01304-AAQ (filed April 22, 2025), named plaintiff Carolyn Gale of Middle River, Maryland. Downstream employer defendants in the consolidated case include Actalent, Inc., Aerotek Inc., and Amergis Healthcare Staffing, Inc.

The complaints allege:

  • Negligence and statutory violations under Maryland’s Personal Information Protection Act (Md. Code Com. Law § 14-3504)
  • Failure to encrypt or redact sensitive personal information
  • A notification delay of more than four months from discovery (December 17, 2024) to individual notice (May 2, 2025), described as exceeding Maryland’s statutory window by more than 70 days
  • Inadequate breach notice content omitting how the breach occurred and whether the threat was contained
  • Non-compliance with FTC guidelines on reasonable data security

Plaintiffs’ firms publicly investigating or representing class members include Milberg LLC, Federman & Sherwood, Strauss Borrelli PLLC, Migliaccio & Rathod LLP, Markovits, Stock & DeMarco, Pittman Dutton Hellums Bradley & Mann, Kantrowitz, Goldhamer, Graifman, Perlmutter & Carballo, Schubert Jonckheer & Kolbe, The Lyon Firm, Srourian Law Firm (SLFLA), Murphy Law Firm, Edelson Lechtzin LLP, and Cohen & Malad LLP. No settlement has been announced as of June 2026. The CourtListener docket last updated January 11, 2026.

State AG filings. Kelly Benefits reported the breach to the attorneys general of at least 14 states: California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, Washington, and an SEC disclosure was also filed. The Vermont AG was notified on June 5, 2025.

No ransomware group has claimed responsibility and no public dark-web leak of Kelly Benefits data has been reported.

What to do if you received a letter

This week:

  1. Enroll in the 12 months of IDX credit monitoring and identity-theft protection using the enrollment code in your notification letter. It is free to you. Kelly Benefits’ dedicated assistance line is 1-877-653-5018, available Monday through Friday, 9 a.m. to 9 p.m. Eastern Time. Then place free credit freezes at all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). The freezes do more than the monitoring does, because they prevent new accounts from being opened in your name at all.
  2. If your letter mentions Social Security number exposure, file IRS Form 14039 (Identity Theft Affidavit) and place a fraud alert with the Social Security Administration. Tax-refund fraud and unemployment-insurance fraud are the most common downstream consequences of SSN exposure.
  3. Save your notification letter and the IDX enrollment proof. You will need them to file a claim in any class settlement. They are also the simplest proof of standing for an individual lawsuit if you opt out.

This month:

  1. Watch for a class-action notice from D. Md. The multiple class actions have been consolidated as In re Kelly Benefits Data Breach Litigation, No. 1:25-cv-01304 (D. Md.), before Judge Stephanie A. Gallagher. When a class is certified or a settlement is preliminarily approved, a court-supervised notice program will send you a claim packet. Until then, no firm needs your personal information to “preserve your rights.”
  2. Stop the ongoing flow of your medical data. The exposed records include medical and health-insurance information. Once medical data is exposed, it tends to be bought, enriched, and resold by data brokers, ad-tech firms, and consumer-health platforms. HealthConsent files HIPAA restriction requests, FTC Health Breach Notification Rule deletion requests, and state-law deletion requests across the data-broker ecosystem so the medical record exposed in this breach is not continuously re-sold downstream. Credit monitoring addresses financial fraud. It does not address the flow of your diagnoses through the data-broker layer.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.