Active breach tracker St. Paul, MN Disclosed March 25, 2026

Securian Financial Data Breach 2026: 500 Health Plan Members Exposed via Business Associate. Placeholder Count — Final Scope Unknown. What To Do

Securian Financial's group health plan filed an HHS OCR breach in March 2026 classified by HIPAA Journal as 'hacking incident at a business associate' — meaning Securian's plan was the victim, not the source. 500 individuals (placeholder figure). Business associate name, threat actor, and specific PHI categories not publicly disclosed. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Mar 25, 2026

HHS OCR filing (incident dates not publicly disclosed)

Mar 25, 2026

Attacker gained access

Mar 25, 2026

Breach detected

Data exposed

01

High-risk identity

Enables financial + identity theft

Likely subset of: SSN, DOB, plan member ID, health insurance information (per typical group health plan via BA exposure profile; not confirmed)

03

Contact & insurance

Phishing + targeted scams

Full name (specific PHI categories not publicly disclosed)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Securian Financial is a major St. Paul, Minnesota insurance and financial services holding company. Subsidiaries include Minnesota Life Insurance Company and Securian Life.

Securian filed with HHS OCR on March 25, 2026 for 500 individuals — Hacking/IT Incident at Network Server. HIPAA Journal’s March 2026 Healthcare Data Breach Report classifies the incident as “hacking incident at a business associate” — meaning Securian’s group health plan was the victim, not the source. A third-party vendor servicing Securian’s plan was breached.

The 500 figure is at the minimum HIPAA reporting threshold and is almost certainly a placeholder pending final scope determination. Final count is likely to revise upward as the investigation proceeds.

What this filing covers

Almost certainly Securian’s own employee / sponsored group health plan, not a customer-facing insurance product:

  • HHS OCR entity type recorded as “Health Plan” with Securian Financial as the covered entity
  • Securian’s commercial products (life, dental, vision, voluntary benefits) would file under the named insurance subsidiary (Minnesota Life Insurance Company, Securian Life), not the parent holding name
  • The 500-individual floor is consistent with a small/mid-sized employer plan census, not a customer-facing book of business

Why this page is sparse

As of mid-May 2026, very limited public information is available:

  • Business associate name: not publicly disclosed
  • Incident timeline: discovery date, intrusion window, and individual notification dates not disclosed
  • PHI categories exposed: not publicly disclosed
  • Threat actor: unknown; no ransomware leak-site claim found
  • Credit monitoring offer: unknown; no notice letter located on securian.com or in state AG portals
  • Class actions: none filed; no plaintiff-firm investigations announced
  • State AG filings: Maine AG confirmed NOT filed (full January-May 2026 list reviewed); California, Massachusetts, Minnesota AG portals not yielding hits

This is a stub-grade entry waiting on more public information to surface.

What was potentially exposed

Specific PHI categories are not publicly disclosed. For a typical group health plan via business associate exposure, expect:

  • Full name
  • Social Security number
  • Date of birth
  • Plan member ID
  • Health insurance information

Read your specific notification letter if you receive one for the confirmed data elements.

What to do

  1. If you are a current or former Securian Financial employee (or a dependent enrolled in the company health plan), contact your HR team or benefits administrator to ask whether you have been notified and what credit monitoring is being offered.
  2. Watch for a notification letter — under HIPAA’s 60-day notification rule, letters should land within 60 days of breach determination.
  3. Place free credit freezes at Equifax, Experian, TransUnion as a baseline precaution.
  4. Once the business associate is publicly named, you may want to check whether other employers’ plans were affected through the same vendor.
  5. Stop the ongoing flow of your group-health-plan data. HealthConsent files HIPAA restriction requests covering employer group health plan administration and vendor pathways.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.