Kelly Benefits Data Breach 2025: 553,332 People Exposed Through a Maryland Benefits Administrator. What Plan Members of CareFirst, Aetna, Guardian, UnitedHealthcare, Humana and 40+ Other Employers Should Do.
Kelly & Associates Insurance Group (Kelly Benefits), a Hunt Valley, Maryland benefits administration firm, suffered a December 2024 intrusion that exfiltrated names, SSNs, DOBs, tax IDs, medical information, health-insurance details and financial account data on 553,332 people. The affected population is downstream plan members of 46 employer and carrier clients. Notification letters mailed May 2, 2025; 13+ class actions consolidated in D. Md.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 12, 2024
Unauthorized access to the Kelly Benefits network environment begins
Dec 17, 2024
Kelly Benefits identifies suspicious activity and engages third-party digital forensics specialists
Mar 3, 2025
File review and identification of affected individuals (matched to client/carrier) completed
Apr 9, 2025
Initial HHS OCR filing — Hacking/IT Incident at Network Server, Business Associate, 32,234 individuals (interim)
Apr 21, 2025
Affected count revised upward to 263,893
Apr 22, 2025
Gale v. Kelly & Associates Insurance Group, Inc. filed (No. 8:25-cv-01304-AAQ, D. Md.)
Apr 25, 2025
Parks v. Kelly & Associates Insurance Group, Inc. filed (No. 1:25-cv-01311, D. Md.) — Milberg LLC
May 2, 2025
Individual notification letters mailed; IDX credit monitoring and identity-theft protection offered for 12 months
May 30, 2025
Affected count revised to 413,032
Jun 3, 2025
Affected count revised to 488,139 per state AG filings
Jun 5, 2025
Vermont Attorney General notified
Jul 1, 2025
Affected count revised to 533,660 per state AG filings (HHS OCR reflects 553,332)
Oct 1, 2025
Cases consolidated as In re Kelly Benefits Data Breach Litigation, No. 1:25-cv-01304 (D. Md.), before Judge Stephanie A. Gallagher
Dec 12, 2024
Unauthorized access to the Kelly Benefits network environment begins
Dec 17, 2024
Kelly Benefits identifies suspicious activity and engages third-party digital forensics specialists
Mar 3, 2025
File review and identification of affected individuals (matched to client/carrier) completed
Apr 9, 2025
Initial HHS OCR filing — Hacking/IT Incident at Network Server, Business Associate, 32,234 individuals (interim)
Apr 21, 2025
Affected count revised upward to 263,893
Apr 22, 2025
Gale v. Kelly & Associates Insurance Group, Inc. filed (No. 8:25-cv-01304-AAQ, D. Md.)
Apr 25, 2025
Parks v. Kelly & Associates Insurance Group, Inc. filed (No. 1:25-cv-01311, D. Md.) — Milberg LLC
May 2, 2025
Individual notification letters mailed; IDX credit monitoring and identity-theft protection offered for 12 months
May 30, 2025
Affected count revised to 413,032
Jun 3, 2025
Affected count revised to 488,139 per state AG filings
Jun 5, 2025
Vermont Attorney General notified
Jul 1, 2025
Affected count revised to 533,660 per state AG filings (HHS OCR reflects 553,332)
Oct 1, 2025
Cases consolidated as In re Kelly Benefits Data Breach Litigation, No. 1:25-cv-01304 (D. Md.), before Judge Stephanie A. Gallagher
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Kelly & Associates Insurance Group, Inc., the Sparks, Maryland benefits administrator known publicly as Kelly Benefits, disclosed a hacking incident that ultimately exposed personal and health information on 553,332 individuals, almost all of whom are downstream plan members of employer and insurance-carrier clients that use Kelly Benefits to administer their benefits. The multiple federal class actions filed in response were consolidated in U.S. District Court for the District of Maryland as In re Kelly Benefits Data Breach Litigation, No. 1:25-cv-01304 (D. Md.), before Judge Stephanie A. Gallagher.
What happened
Kelly Benefits is a HIPAA business associate. Founded in 1976 as Francis X. Kelly Associates, Inc. and renamed Kelly & Associates Insurance Group, Inc. in 1998, the company employs approximately 500 people and generates an estimated $448 million in annual revenue. In 2007 it established Kelly Integral Solutions LLC as an umbrella management company covering its benefits administration, payroll, and technology lines. Employers and insurance carriers hire it to enroll members, manage benefits eligibility, process billing, and coordinate with carriers and brokers. To do that work, Kelly Benefits stores the kinds of data those plans hold: full names, Social Security numbers, dates of birth, tax IDs, medical information, health-insurance details and financial account information.
According to the company’s own disclosures and follow-on reporting, an external intruder accessed the Kelly Benefits network environment between December 12 and December 17, 2024. Kelly Benefits identified suspicious activity on December 17, 2024, and third-party digital forensics specialists confirmed that “certain files were copied and taken by the attackers.” File review to match affected individuals to client plans was completed on March 3, 2025.
Kelly Benefits filed an initial HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on April 9, 2025, reporting 32,234 affected individuals, a Hacking/IT Incident at a Network Server, with the entity’s role listed as Business Associate. The number was revised upward multiple times: to 263,893 on April 21, 2025; to 413,032 on May 30, 2025; to 488,139 on June 3, 2025; and to 533,660 per state AG filings as of July 1, 2025. The HHS OCR portal currently reflects 553,332, which is the authoritative federal figure for this incident.
Timeline
- December 12–17, 2024 — Unauthorized access to the Kelly Benefits network environment
- December 17, 2024 — Kelly Benefits identifies suspicious activity; engages third-party digital forensics specialists; notifies the FBI
- March 3, 2025 — File review and identification of affected individuals completed
- April 9, 2025 — Initial HHS OCR filing: 32,234 affected, Hacking/IT Incident at Network Server, Business Associate
- April 21, 2025 — Affected count revised to 263,893
- April 22, 2025 — Gale v. Kelly & Associates Insurance Group, Inc. filed (No. 8:25-cv-01304-AAQ), named plaintiff Carolyn Gale
- April 25, 2025 — Parks v. Kelly & Associates Insurance Group, Inc. filed (No. 1:25-cv-01311), named plaintiff Brittany Parks, Milberg LLC
- May 2, 2025 — Individual notification letters mailed; 12 months of complimentary IDX credit monitoring and identity-theft protection offered; breach reported to California and Maine AGs
- May 30, 2025 — Affected count revised to 413,032
- June 3, 2025 — Affected count revised to 488,139
- June 5, 2025 — Vermont Attorney General notified
- July 1, 2025 — Affected count revised to 533,660 (per state AG filings; HHS OCR reflects 553,332)
- Late 2025 — Cases consolidated as In re Kelly Benefits Data Breach Litigation, No. 1:25-cv-01304 (D. Md.), before Judge Stephanie A. Gallagher
What was exposed
The data elements Kelly Benefits has confirmed in its notification letters and in state attorney general filings:
- Full name
- Date of birth
- Social Security number
- Tax identification number
- Medical information
- Health insurance information (insurer, member ID, claim details)
- Financial account information
The specific combination varied by individual. Letters identified the exact data types per recipient.
Who is notifying you (and why it is your employer’s benefits administrator, not your insurer)
Kelly Benefits is a business associate under HIPAA, not the covered entity that has the direct relationship with you. The HIPAA Breach Notification Rule lets a business associate either notify affected individuals itself or delegate that duty back to the covered entity — the carrier or employer plan you actually deal with. Kelly Benefits took a hybrid path: it sent notification letters in its own name (so many recipients are receiving a letter from a company they have never heard of) while also notifying the 46 client plans and carriers whose members were involved so that those clients could communicate independently with their populations.
That is why you may have received a letter from Kelly Benefits even though your employer or insurer did the actual hiring, claims, or enrollment work.
The 46 downstream employer and carrier clients (partial public list)
Public reporting names the following downstream insurers, employer benefit plans, and other clients whose members were caught up in the Kelly Benefits intrusion. This list is partial: at least 46 entities were notified.
Insurance carriers:
- Aetna Life Insurance Company
- CareFirst BlueCross BlueShield
- The Guardian Life Insurance Company of America
- Humana Insurance ACE
- Mutual of Omaha Insurance Company
- OneAmerica Financial Partners
- OptiMed Health
- Reliance Standard Life Insurance
- UnitedHealthcare / United Healthcare Services
- Beam Benefits
- Vision Benefits of America
Employer and plan clients:
- Actalent, Inc.
- Aerotek Inc.
- Amergis Healthcare Staffing, Inc.
- Beltway Companies
- Education Affiliates
- Fidelity Building Services Group
- Intercon Truck of Baltimore
- Maine School Management Association (11,596 Maine residents affected)
- Merritt Group
- Nutramax Laboratories
- Publishers Circulation Fulfilment
- Quantum Real Estate Management
- Transforming Lives
- University of Maryland Medical System
- Virtua Health
If your employer, your carrier, or one of these clients shows up on your benefits paperwork — payroll deductions, ID card, claims correspondence — there is a meaningful probability that your data was in the Kelly Benefits files even if you have not yet received a letter. The Maine School Management Association alone accounted for 11,596 of the 18,820 Maine residents affected, according to News Center Maine’s coverage of the Maine AG filing.
Class-action posture
Multiple proposed federal class actions were filed against Kelly & Associates Insurance Group, Inc. in the U.S. District Court for the District of Maryland and have been consolidated into a single proceeding: In re Kelly Benefits Data Breach Litigation, No. 1:25-cv-01304 (D. Md.), assigned to Judge Stephanie A. Gallagher. The anchor case is Parks v. Kelly & Associates Insurance Group, Inc., No. 1:25-cv-01311, brought by Milberg LLC (Thomas A. Pacheco, Mariya Weekes, and Zachary Howerton) on behalf of lead plaintiff Brittany Parks. A second early-filed case, Gale v. Kelly & Associates Insurance Group, Inc., No. 8:25-cv-01304-AAQ (filed April 22, 2025), named plaintiff Carolyn Gale of Middle River, Maryland. Downstream employer defendants in the consolidated case include Actalent, Inc., Aerotek Inc., and Amergis Healthcare Staffing, Inc.
The complaints allege:
- Negligence and statutory violations under Maryland’s Personal Information Protection Act (Md. Code Com. Law § 14-3504)
- Failure to encrypt or redact sensitive personal information
- A notification delay of more than four months from discovery (December 17, 2024) to individual notice (May 2, 2025), described as exceeding Maryland’s statutory window by more than 70 days
- Inadequate breach notice content omitting how the breach occurred and whether the threat was contained
- Non-compliance with FTC guidelines on reasonable data security
Plaintiffs’ firms publicly investigating or representing class members include Milberg LLC, Federman & Sherwood, Strauss Borrelli PLLC, Migliaccio & Rathod LLP, Markovits, Stock & DeMarco, Pittman Dutton Hellums Bradley & Mann, Kantrowitz, Goldhamer, Graifman, Perlmutter & Carballo, Schubert Jonckheer & Kolbe, The Lyon Firm, Srourian Law Firm (SLFLA), Murphy Law Firm, Edelson Lechtzin LLP, and Cohen & Malad LLP. No settlement has been announced as of June 2026. The CourtListener docket last updated January 11, 2026.
State AG filings. Kelly Benefits reported the breach to the attorneys general of at least 14 states: California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, Washington, and an SEC disclosure was also filed. The Vermont AG was notified on June 5, 2025.
No ransomware group has claimed responsibility and no public dark-web leak of Kelly Benefits data has been reported.
What to do if you received a letter
This week:
- Enroll in the 12 months of IDX credit monitoring and identity-theft protection using the enrollment code in your notification letter. It is free to you. Kelly Benefits’ dedicated assistance line is 1-877-653-5018, available Monday through Friday, 9 a.m. to 9 p.m. Eastern Time. Then place free credit freezes at all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). The freezes do more than the monitoring does, because they prevent new accounts from being opened in your name at all.
- If your letter mentions Social Security number exposure, file IRS Form 14039 (Identity Theft Affidavit) and place a fraud alert with the Social Security Administration. Tax-refund fraud and unemployment-insurance fraud are the most common downstream consequences of SSN exposure.
- Save your notification letter and the IDX enrollment proof. You will need them to file a claim in any class settlement. They are also the simplest proof of standing for an individual lawsuit if you opt out.
This month:
- Watch for a class-action notice from D. Md. The multiple class actions have been consolidated as In re Kelly Benefits Data Breach Litigation, No. 1:25-cv-01304 (D. Md.), before Judge Stephanie A. Gallagher. When a class is certified or a settlement is preliminarily approved, a court-supervised notice program will send you a claim packet. Until then, no firm needs your personal information to “preserve your rights.”
- Stop the ongoing flow of your medical data. The exposed records include medical and health-insurance information. Once medical data is exposed, it tends to be bought, enriched, and resold by data brokers, ad-tech firms, and consumer-health platforms. HealthConsent files HIPAA restriction requests, FTC Health Breach Notification Rule deletion requests, and state-law deletion requests across the data-broker ecosystem so the medical record exposed in this breach is not continuously re-sold downstream. Credit monitoring addresses financial fraud. It does not address the flow of your diagnoses through the data-broker layer.
Sources
- HIPAA Journal: Kelly Benefits Data Breach Update — More Than 553,000 Individuals Affected — confirms the 553,332 final count, the December 12–17, 2024 access window, and the May 2, 2025 notification mailing.
- SecurityWeek: Kelly Benefits Data Breach Impacts 550,000 People — lists 40+ downstream client names; confirms no attacker attribution.
- BankInfoSecurity: Kelly Benefits Notifying Nearly 264,000 of Data Theft Hack — initial April 9, 2025 OCR filing details and original client list.
- GovInfoSecurity: Kelly Benefits Hack Victim Count Jumps Significantly, Again — covers the count revisions and the volume of class-action filings.
- Milberg LLC: Kelly Benefits Data Breach Lawsuit — D. Md. case number 1:25-cv-01311, lead plaintiff allegations, and Milberg attorneys of record.
- Security Affairs: Kelly Benefits Data Breach Has Impacted 550,000 People — credit monitoring provider (IDX) and lack of ransomware claim of responsibility.
- CourtListener: In re Kelly Benefits Data Breach Litigation, 1:25-cv-01304 (D. Md.) — consolidated docket, Judge Gallagher, defendant counsel, last updated January 11, 2026.
- ClaimDepot: Kelly Benefits data breach — count revision timeline and multi-state AG filing tracker — documents interim counts (413,032 → 488,139 → 533,660) and AG filings in 14+ states including Vermont (notified June 5, 2025) and an SEC disclosure.
- JDSupra / Console & Associates: Kelly Benefits Notifies Guardian Life Insurance Customers — Massachusetts AG filing details; entity background (founded 1976; ~500 employees; ~$448M revenue).
- News Center Maine: Maine School Management Association — 11,596 Maine Residents Affected — names Maine downstream clients including BAYADA, Mutual of Omaha, and Education Affiliates; total of 18,820 Maine residents affected.
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Kelly Benefits: Notice of Data Security Event (entity's own notification page)
- Maine Attorney General: Kelly & Associates Insurance Group Data Breach Filing
- HIPAA Journal: Kelly Benefits Data Breach Update — More Than 553,000 Individuals Affected
- SecurityWeek: Kelly Benefits Data Breach Impacts 550,000 People
- BankInfoSecurity: Kelly Benefits Notifying Nearly 264,000 of Data Theft Hack
- GovInfoSecurity: Kelly Benefits Hack Victim Count Jumps Significantly, Again
- Milberg LLC: Kelly Benefits Data Breach Lawsuit — Parks v. Kelly & Associates Insurance Group, No. 1:25-cv-01311 (D. Md.)
- Security Affairs: Kelly Benefits Data Breach Has Impacted 550,000 People
- Infosecurity Magazine: Dozens of Corporates Caught in Kelly Benefits Data Breach
- News Center Maine: Maine School Management Association — 11,596 Maine Residents Affected
- Edelson Lechtzin LLP: Data Breach Alert — Kelly & Associates Insurance Group
- CourtListener: In re Kelly Benefits Data Breach Litigation, 1:25-cv-01304 (D. Md.) — consolidated docket, Judge Gallagher
- ClaimDepot: Kelly Benefits Data Breach — multi-state AG filings tracker and count revision timeline
- JDSupra / Console & Associates: Kelly Benefits Notifies Guardian Life Insurance Customers of Data Breach
- HHS Office for Civil Rights Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.