Navia Benefit Solutions Data Breach Exposes Nearly 2.7 Million People

An unauthorized actor spent 24 undetected days inside the computer systems of Navia Benefit Solutions, accessing and acquiring the personal and benefits records of 2,697,540 people before the Washington State company discovered the intrusion, according to the company's own breach notification and a filing with the Maine Attorney General.

Hackers had access to Navia's systems between December 22, 2025, and January 15, 2026, and the company did not discover the suspicious activity until January 23. Founded in 1989 and headquartered in Washington State, Navia serves thousands of employers across the U.S., offering tools and platforms to help employees manage healthcare and financial benefits. The company is a consumer-focused administrator of benefits that provides services to more than 10,000 employers across the U.S.

"On January 23, 2026, Navia discovered suspicious activity related to our environment. Navia promptly responded and launched an investigation to confirm the nature and scope of the incident. The investigation determined that an unauthorized actor accessed and acquired certain information between December 22, 2025, and January 15, 2026," the company said in its breach notification.

The unauthorized actor gained access to and potentially exfiltrated data including full names, dates of birth, Social Security numbers, phone numbers, email addresses, and details about participation in Health Reimbursement Arrangements, Flexible Spending Accounts, and COBRA enrollment. Additional administrative data fields were also involved: the company's notification revealed that exposed data could include Health Reimbursement Arrangements, Flexible Spending Accounts, and COBRA information, and reporting from Security Affairs identified termination dates and election dates as among the potentially impacted data points.

While Navia stated that claims or financial information were not exposed, the compromised data is sufficient for threat actors to conduct phishing and social engineering attacks. The combination of Social Security numbers, dates of birth, employer-linked benefit enrollment status, and contact details gives bad actors a detailed profile for targeting individuals with highly specific, credible fraud schemes.

Federal law enforcement was notified, and the company has been working to implement additional security measures and provide its employees with additional training to prevent similar incidents in the future. Navia did not disclose whether this was a ransomware attack or whether it received a ransom demand, and no ransomware group has claimed responsibility for the incident.

Navia began mailing notification letters to impacted individuals on March 18 and those letters include an enrollment code for free 12-month identity protection and credit monitoring services through Kroll, which recipients can activate at enroll.krollmonitoring.com/redeem using the code provided.

The breach's reach extended to at least one government client. Navia contracted with the Washington State Health Care Authority as the administrator of its Flexible Spending Arrangement and Dependent Care Assistance Program for the PEBB and SEBB Programs, and the agency published its own substitute breach notice confirming that records going back seven years were compromised, affecting approximately 27,000 current and former PEBB members, 5,600 current and former SEBB members, and 3,000 current and former Compacts of Free Association islander members. In addition, 37 school districts that contracted with Navia before the SEBB Program was implemented in January 2020 were also notified that some of their data was potentially compromised.

On the legal front, at least two law firms have opened investigations into potential class action claims. Edelson Lechtzin LLP, a national class action firm based in suburban Philadelphia, announced it is actively investigating data privacy claims arising from the breach, citing the March 18 Maine Attorney General filing. Murphy Law Firm is also investigating claims on behalf of all individuals whose personal and confidential information was compromised in the breach.

The data breach is a reportable incident under HIPAA, and the Department of Health and Human Services has been notified, with a media notice issued in compliance with the HIPAA Breach Notification Rule. The scale of the incident, touching a company that manages benefit programs for over 10,000 employers and more than one million participants, places it among the larger third-party benefits administrator breaches disclosed this year.