Active breach tracker Bridgton, Maine Disclosed November 19, 2025

NAHGA Claim Services Data Breach 2025: 21,834 Reported to HHS OCR (181,160 in Broader State Filings) · Maine TPA for Sports, School and Youth-League Accident Plans

NAHGA Claim Services, a Bridgton, Maine third-party administrator for secondary accident and health coverage for schools, sports leagues and youth organizations, disclosed an April 2025 intrusion that exposed names, Social Security numbers, dates of birth, driver's license and passport numbers, medical/treatment information, health-insurance details and financial account data. HHS OCR portal entry reports 21,834 individuals; broader state filings report 181,160. Notifications mailed November 14, 2025; class action Arnett v. NAHGA Inc., 2:25-cv-00632 (D. Me.) filed.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Apr 8, 2025

Unauthorized access to the NAHGA Claim Services network begins

Apr 13, 2025

NAHGA identifies unusual activity within its computer systems; engages third-party cybersecurity experts and notifies the FBI

Nov 14, 2025

Individual notification letters mailed; 24 months of complimentary IDX identity-theft protection, CyberScan monitoring, $1 million identity-theft insurance, and managed recovery services offered

Nov 19, 2025

HHS OCR breach filing: Hacking/IT Incident at Network Server, Health Plan, 21,834 individuals

Dec 15, 2025

Arnett v. NAHGA Inc., No. 2:25-cv-00632, filed in U.S. District Court for the District of Maine

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security number Date of birth Driver's license or state ID number Passport number

02

Health records

Don't expire and can't be reissued

Medical or treatment information

03

Contact & insurance

Phishing + targeted scams

Full name Health insurance information (insurer, policy/member number) Financial account information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Edelson Lechtzin LLP (Marc H. Edelson) Strauss Borrelli PLLC Wolf Haldenstein Adler Freeman & Herz Lynch Carpenter LLP Console & Associates P.C.
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

NAHGA Claim Services, the Bridgton, Maine third-party administrator that processes secondary accident and health insurance claims for schools, sports leagues, and youth organizations, disclosed an April 2025 network intrusion that exposed personal, medical, and financial data on individuals whose claims it administers on behalf of those plans.

What happened

NAHGA Claim Services is a HIPAA business associate. Schools, university athletic departments, sports leagues, summer camps, and youth-recreation organizations hire NAHGA to administer the secondary accident and health insurance policies they buy to cover participant injuries. To do that work, NAHGA holds the kinds of files those plans generate: enrollment records, claim forms, treating-provider notes, insurance ID numbers, and payment information.

According to NAHGA’s own disclosure, an external intruder accessed the company’s network environment between April 8 and April 10, 2025. NAHGA identified unusual activity on April 13, 2025, engaged third-party cybersecurity experts, and notified the FBI. A file review determined the intruder may have acquired files containing personal and protected health information. Individual notification letters were mailed beginning November 14, 2025 — roughly seven months after discovery.

NAHGA filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on November 19, 2025, reporting 21,834 affected individuals, a Hacking/IT Incident at a Network Server, with the entity’s role listed as Health Plan. State attorney general filings tell a larger story: the aggregate population reported across the Maine, Texas, Massachusetts, South Carolina, Washington, New Hampshire, Iowa, Montana, Oregon, Vermont, and California attorneys general is 181,160 individuals. The discrepancy between the OCR figure and the state-AG aggregate is consistent with NAHGA having filed an initial HIPAA-covered subset with OCR; the wider total includes individuals on non-HIPAA-covered accident policies administered by the same files. The Maine Attorney General records 176 Maine residents in the affected population.

Timeline

  • April 8 to 10, 2025 — Unauthorized access to the NAHGA Claim Services network
  • April 13, 2025 — NAHGA identifies unusual network activity, engages third-party cybersecurity experts, notifies the FBI
  • November 14, 2025 — Individual notification letters mailed; 24 months of complimentary IDX identity-theft protection offered
  • November 19, 2025 — HHS OCR filing: Hacking/IT Incident at Network Server, Health Plan, 21,834 individuals
  • December 15, 2025Arnett v. NAHGA Inc., No. 2:25-cv-00632, filed in U.S. District Court for the District of Maine

What was exposed

The data elements NAHGA has confirmed in its notification letters and in state attorney general filings:

  • Full name
  • Social Security number
  • Date of birth
  • Driver’s license or state ID number
  • Passport number (a smaller subset)
  • Health insurance information (insurer, policy number, member ID)
  • Medical or treatment information (diagnoses, treatment notes, claim details)
  • Financial account information

The specific combination varies by individual. Each recipient’s notification letter identifies the exact data elements involved for that person.

Who is notifying you (and why it is a claims administrator you may not recognize)

NAHGA Claim Services is a third-party administrator, not the insurer or the school, league, or organization that signed you or your child up for coverage. The HIPAA Breach Notification Rule lets a business associate either notify affected individuals itself or delegate that duty back to the covered entity — the actual insurance carrier or self-insured plan. NAHGA took the direct route: it sent letters in its own name, which is why many parents, athletes, and camp participants are receiving a notification from a Maine company they have never heard of.

If you or a member of your family participated in a school sports program, college athletic team, youth league, summer camp, or other recreational activity in the United States in the past several years, and the program carried secondary accident insurance that paid out for an injury, there is a meaningful probability that NAHGA processed that claim and held your file. The notification letter itself is the only definitive record of inclusion.

Class-action posture

The first proposed class action, Arnett v. NAHGA Inc., No. 2:25-cv-00632, was filed in the U.S. District Court for the District of Maine in December 2025. Additional plaintiffs’ firms publicly investigating or representing class members include Edelson Lechtzin LLP (Marc H. Edelson), Strauss Borrelli PLLC, Wolf Haldenstein Adler Freeman & Herz, Lynch Carpenter LLP, and Console & Associates P.C.

Complaints and pre-suit investigations generally allege:

  • Negligence and breach of implied contract
  • Inadequate data security relative to the sensitivity of the records held
  • A notification delay of more than seven months from discovery (April 13, 2025) to individual notice (November 14, 2025)
  • Statutory violations under Maine’s Notice of Risk to Personal Data Act and parallel state breach-notification laws
  • Failure to encrypt or otherwise render the affected files unreadable

No consolidation order or settlement is on the public docket as of May 2026. No ransomware group has claimed responsibility and no dark-web leak of NAHGA data has been publicly reported.

What to do if you received a letter

This week:

  1. Enroll in the 24 months of IDX identity-theft protection using the enrollment code in your notification letter. It is free to you and includes CyberScan monitoring, a $1 million identity-theft insurance policy, and fully managed identity-theft recovery services. Then place free credit freezes at all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). The freezes do more than the monitoring does, because they prevent new accounts from being opened in your name at all.
  2. If your letter mentions Social Security number, driver’s license number, or passport exposure, file IRS Form 14039 (Identity Theft Affidavit), request a replacement driver’s license through your state DMV, and treat the passport number as compromised for future TSA, banking, and KYC contexts. Tax-refund fraud and unemployment-insurance fraud are the most common downstream consequences of SSN exposure.
  3. Save your notification letter and the IDX enrollment proof. You will need them to file a claim in any class settlement, and they are the simplest proof of standing for an individual lawsuit if you opt out.

This month:

  1. Watch for a class-action notice from D. Me. When Arnett and any later-filed actions are consolidated and a class is certified or a settlement is preliminarily approved, a court-supervised notice program will send you a claim packet. Until then, no firm needs your personal information to “preserve your rights.”
  2. Stop the ongoing flow of your medical data. The exposed records include medical and treatment information. Once medical data is exposed, it tends to be bought, enriched, and resold by data brokers, ad-tech firms, and consumer-health platforms. HealthConsent files HIPAA restriction requests, FTC Health Breach Notification Rule deletion requests, and state-law deletion requests across the data-broker ecosystem so the medical record exposed in this breach is not continuously re-sold downstream. Credit monitoring addresses financial fraud. It does not address the flow of your diagnoses through the data-broker layer.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.