NAHGA Claim Services Data Breach 2025: 21,834 Reported to HHS OCR (181,160 in Broader State Filings) · Maine TPA for Sports, School and Youth-League Accident Plans
NAHGA Claim Services, a Bridgton, Maine third-party administrator for secondary accident and health coverage for schools, sports leagues and youth organizations, disclosed an April 2025 intrusion that exposed names, Social Security numbers, dates of birth, driver's license and passport numbers, medical/treatment information, health-insurance details and financial account data. HHS OCR portal entry reports 21,834 individuals; broader state filings report 181,160. Notifications mailed November 14, 2025; class action Arnett v. NAHGA Inc., 2:25-cv-00632 (D. Me.) filed.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Apr 8, 2025
Unauthorized access to the NAHGA Claim Services network begins
Apr 13, 2025
NAHGA identifies unusual activity within its computer systems; engages third-party cybersecurity experts and notifies the FBI
Nov 14, 2025
Individual notification letters mailed; 24 months of complimentary IDX identity-theft protection, CyberScan monitoring, $1 million identity-theft insurance, and managed recovery services offered
Nov 19, 2025
HHS OCR breach filing: Hacking/IT Incident at Network Server, Health Plan, 21,834 individuals
Dec 15, 2025
Arnett v. NAHGA Inc., No. 2:25-cv-00632, filed in U.S. District Court for the District of Maine
Apr 8, 2025
Unauthorized access to the NAHGA Claim Services network begins
Apr 13, 2025
NAHGA identifies unusual activity within its computer systems; engages third-party cybersecurity experts and notifies the FBI
Nov 14, 2025
Individual notification letters mailed; 24 months of complimentary IDX identity-theft protection, CyberScan monitoring, $1 million identity-theft insurance, and managed recovery services offered
Nov 19, 2025
HHS OCR breach filing: Hacking/IT Incident at Network Server, Health Plan, 21,834 individuals
Dec 15, 2025
Arnett v. NAHGA Inc., No. 2:25-cv-00632, filed in U.S. District Court for the District of Maine
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
NAHGA Claim Services, the Bridgton, Maine third-party administrator that processes secondary accident and health insurance claims for schools, sports leagues, and youth organizations, disclosed an April 2025 network intrusion that exposed personal, medical, and financial data on individuals whose claims it administers on behalf of those plans.
What happened
NAHGA Claim Services is a HIPAA business associate. Schools, university athletic departments, sports leagues, summer camps, and youth-recreation organizations hire NAHGA to administer the secondary accident and health insurance policies they buy to cover participant injuries. To do that work, NAHGA holds the kinds of files those plans generate: enrollment records, claim forms, treating-provider notes, insurance ID numbers, and payment information.
According to NAHGA’s own disclosure, an external intruder accessed the company’s network environment between April 8 and April 10, 2025. NAHGA identified unusual activity on April 13, 2025, engaged third-party cybersecurity experts, and notified the FBI. A file review determined the intruder may have acquired files containing personal and protected health information. Individual notification letters were mailed beginning November 14, 2025 — roughly seven months after discovery.
NAHGA filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on November 19, 2025, reporting 21,834 affected individuals, a Hacking/IT Incident at a Network Server, with the entity’s role listed as Health Plan. State attorney general filings tell a larger story: the aggregate population reported across the Maine, Texas, Massachusetts, South Carolina, Washington, New Hampshire, Iowa, Montana, Oregon, Vermont, and California attorneys general is 181,160 individuals. The discrepancy between the OCR figure and the state-AG aggregate is consistent with NAHGA having filed an initial HIPAA-covered subset with OCR; the wider total includes individuals on non-HIPAA-covered accident policies administered by the same files. The Maine Attorney General records 176 Maine residents in the affected population.
Timeline
- April 8 to 10, 2025 — Unauthorized access to the NAHGA Claim Services network
- April 13, 2025 — NAHGA identifies unusual network activity, engages third-party cybersecurity experts, notifies the FBI
- November 14, 2025 — Individual notification letters mailed; 24 months of complimentary IDX identity-theft protection offered
- November 19, 2025 — HHS OCR filing: Hacking/IT Incident at Network Server, Health Plan, 21,834 individuals
- December 15, 2025 — Arnett v. NAHGA Inc., No. 2:25-cv-00632, filed in U.S. District Court for the District of Maine
What was exposed
The data elements NAHGA has confirmed in its notification letters and in state attorney general filings:
- Full name
- Social Security number
- Date of birth
- Driver’s license or state ID number
- Passport number (a smaller subset)
- Health insurance information (insurer, policy number, member ID)
- Medical or treatment information (diagnoses, treatment notes, claim details)
- Financial account information
The specific combination varies by individual. Each recipient’s notification letter identifies the exact data elements involved for that person.
Who is notifying you (and why it is a claims administrator you may not recognize)
NAHGA Claim Services is a third-party administrator, not the insurer or the school, league, or organization that signed you or your child up for coverage. The HIPAA Breach Notification Rule lets a business associate either notify affected individuals itself or delegate that duty back to the covered entity — the actual insurance carrier or self-insured plan. NAHGA took the direct route: it sent letters in its own name, which is why many parents, athletes, and camp participants are receiving a notification from a Maine company they have never heard of.
If you or a member of your family participated in a school sports program, college athletic team, youth league, summer camp, or other recreational activity in the United States in the past several years, and the program carried secondary accident insurance that paid out for an injury, there is a meaningful probability that NAHGA processed that claim and held your file. The notification letter itself is the only definitive record of inclusion.
Class-action posture
The first proposed class action, Arnett v. NAHGA Inc., No. 2:25-cv-00632, was filed in the U.S. District Court for the District of Maine in December 2025. Additional plaintiffs’ firms publicly investigating or representing class members include Edelson Lechtzin LLP (Marc H. Edelson), Strauss Borrelli PLLC, Wolf Haldenstein Adler Freeman & Herz, Lynch Carpenter LLP, and Console & Associates P.C.
Complaints and pre-suit investigations generally allege:
- Negligence and breach of implied contract
- Inadequate data security relative to the sensitivity of the records held
- A notification delay of more than seven months from discovery (April 13, 2025) to individual notice (November 14, 2025)
- Statutory violations under Maine’s Notice of Risk to Personal Data Act and parallel state breach-notification laws
- Failure to encrypt or otherwise render the affected files unreadable
No consolidation order or settlement is on the public docket as of May 2026. No ransomware group has claimed responsibility and no dark-web leak of NAHGA data has been publicly reported.
What to do if you received a letter
This week:
- Enroll in the 24 months of IDX identity-theft protection using the enrollment code in your notification letter. It is free to you and includes CyberScan monitoring, a $1 million identity-theft insurance policy, and fully managed identity-theft recovery services. Then place free credit freezes at all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). The freezes do more than the monitoring does, because they prevent new accounts from being opened in your name at all.
- If your letter mentions Social Security number, driver’s license number, or passport exposure, file IRS Form 14039 (Identity Theft Affidavit), request a replacement driver’s license through your state DMV, and treat the passport number as compromised for future TSA, banking, and KYC contexts. Tax-refund fraud and unemployment-insurance fraud are the most common downstream consequences of SSN exposure.
- Save your notification letter and the IDX enrollment proof. You will need them to file a claim in any class settlement, and they are the simplest proof of standing for an individual lawsuit if you opt out.
This month:
- Watch for a class-action notice from D. Me. When Arnett and any later-filed actions are consolidated and a class is certified or a settlement is preliminarily approved, a court-supervised notice program will send you a claim packet. Until then, no firm needs your personal information to “preserve your rights.”
- Stop the ongoing flow of your medical data. The exposed records include medical and treatment information. Once medical data is exposed, it tends to be bought, enriched, and resold by data brokers, ad-tech firms, and consumer-health platforms. HealthConsent files HIPAA restriction requests, FTC Health Breach Notification Rule deletion requests, and state-law deletion requests across the data-broker ecosystem so the medical record exposed in this breach is not continuously re-sold downstream. Credit monitoring addresses financial fraud. It does not address the flow of your diagnoses through the data-broker layer.
Sources
- NAHGA Claim Services: Notice of Data Security Incident — the entity’s own substitute notice, listing the April 13, 2025 discovery, November 14, 2025 mailing date, IDX 24-month protection offering, and the 1-844-274-4845 call center.
- ClassAction.org: NAHGA Claim Services Data Breach Impacts 181K — confirms the 181,160 aggregate population, April 8 to 11 access window, and the full list of exposed data elements including driver’s license and passport numbers.
- BeyondMachines: NAHGA Claim Services Data Breach Exposes Health Information of Over 181,000 Individuals — TPA description, financial account information detail, and December 19, 2025 public-disclosure date.
- ClaimDepot: NAHGA Claims Services Data Breach Affects 181K People — state-by-state AG filing counts (Texas 46,372; South Carolina 4,381; Massachusetts 1,017; Maine 474; New Hampshire 337; Washington 1,621; Iowa 929; Montana 10).
- Strauss Borrelli PLLC: NAHGA Claims Services Data Breach Investigation — describes NAHGA as an “independently owned and operated third party medical claims administrator based in Maine” handling claims for insurers including Philadelphia Insurance Companies.
- Edelson Lechtzin LLP: Data Breach Alert — confirms NAHGA’s client base of “schools, sports leagues, and youth organizations” and the law firm’s class investigation.
- Justia Dockets: Arnett v. NAHGA Inc., 2:25-cv-00632 (D. Me.) — the first filed federal class action arising from the breach.
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of the November 19, 2025 filing: Hacking/IT Incident, Network Server, 21,834 individuals, Health Plan.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- NAHGA Claim Services: Notice of Data Security Incident (PRNewswire)
- ClassAction.org: NAHGA Claim Services Data Breach Impacts 181K; Attorneys Investigate
- BeyondMachines: NAHGA Claim Services Data Breach Exposes Health Information of Over 181,000 Individuals
- ClaimDepot: NAHGA Claims Services Data Breach Affects 181K People
- Strauss Borrelli PLLC: NAHGA Claims Services Data Breach Investigation
- Edelson Lechtzin LLP: Data Breach Alert (PRNewswire)
- Justia Dockets: Arnett v. NAHGA Inc., 2:25-cv-00632 (D. Me.)
- HHS Office for Civil Rights Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.