Navia Benefit Solutions has confirmed a significant data breach impacting nearly 2.7 million individuals.
The incident resulted from unauthorised access to the company’s systems, exposing sensitive personal and health plan information.
As a prominent administrator of employee benefits for over 10,000 employers in the United States, Navia holds a vast amount of sensitive data, including flexible spending arrangement (FSA) and dependent care assistance program details.
A threat actor gained unauthorized entry into the environment, but the company confirmed that the attackers did not access any direct financial data, bank account information, or health claims.
Technical Details
The security breach stemmed from a vulnerability in an Application Programming Interface (API) used by the organization.
The unauthorized third party exploited this flaw to obtain read-only access to participant data.
Because the attackers navigated the environment without directly altering systems or moving funds, immediate detection was delayed.
Navia’s security teams have since patched the API vulnerability to prevent further exposure.
They also disabled participant registration temporarily to strengthen authentication controls. There is currently no evidence of system-wide encryption or ransomware involvement.
The breach included records going back seven years to 2018, affecting numerous current and former members of public employee benefit programs.
The compromised information poses a significant risk for targeted phishing and social engineering campaigns. The specific data elements exposed during the breach include:
- Personal identifiers such as full names, dates of birth, and physical addresses were exposed.
- Contact details including email addresses and phone numbers were compromised.
- Highly sensitive information like Social Security numbers and Navia ID numbers were accessed.
- Health plan details regarding participation in HRAs, FSAs, and COBRA, along with termination dates, were included.
Response and Mitigation
Upon detecting the anomaly, Navia immediately secured the affected API endpoints and launched a comprehensive internal investigation alongside external forensic specialists.
The company notified federal law enforcement and relevant state and federal regulatory authorities, including the U.S. Department of Health and Human Services.
Additionally, Navia notified all employers that currently or previously contracted with them about the data exposure.
To support the impacted users, Navia is offering 12 months of complimentary identity protection and credit monitoring services through Kroll.
Users are strongly advised to remain vigilant, place fraud alerts, and monitor their credit reports for any suspicious activity. The company has also reinforced its systems with enhanced multi-factor authentication requirements.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
