Navia Benefit Solutions disclosed a network attack that exposed the personal and protected health information of 2,697,540 individuals after unauthorized access to its systems from December 22, 2025, through January 15, 2026.
Summary of Incident
Navia Benefit Solutions based in Renton, Washington reported that hackers had access to its network for about three weeks from late December 2025 to mid‑January 2026. The incident potentially affected 2,697,540 current and former participants and their dependents.
Incident Timeline
The company identified the attack on or around January 15, 2026. Forensic analysis conducted by the company confirmed unauthorized access to its computer environment from December 22, 2025, to January 15, 2026. Navia posted a substitute breach notice on its website on March 13, 2026, and began mailing individual notification letters to affected individuals on March 18, 2026.
Organization Profile
Navia Benefit Solutions manages tax‑advantaged healthcare and dependent care accounts for employers and offers employee benefits administration services. The company reported having more than 10,000 clients and more than 1 million participants.
Data Potentially Compromised
Navia reported that the data potentially compromised in the incident included names, email addresses, phone numbers, and Social Security numbers.
Washington State Health Care Authority’s substitute notice specified additional data elements for its affected members, including first and last names, addresses, phone numbers, Navia ID numbers, enrollment start and end dates, email addresses, employee IDs, Social Security numbers, and dates of birth.
Notifications and Breach Response
Navia notified federal law enforcement and launched an investigation to determine the nature and scope of the incident. The company offered affected individuals complimentary credit monitoring and identity theft protection services for 12 months.
Navia stated that it took steps to secure its systems by implementing additional security measures and giving additional HIPAA training to its employees. Navia did not mention whether the incident involved ransomware or whether a ransom demand was received, and no ransomware group claimed responsibility.
Affected Clients and Records
The Department of Health and Human Services was notified and a media notice was issued in compliance with the HIPAA Breach Notification Rule.
The incident is reportable under HIPAA and, at the time of the company’s disclosure, the incident was not yet shown on the HHS Office for Civil Rights breach portal.
Washington State Health Care Authority confirmed that records going back seven years were compromised for approximately 27,000 current and former Public Employees Benefits Board members, 5,600 current and former School Employees Benefits Board members, and 3,000 current and former Compacts of Free Association islander members. Thirty‑seven school districts that contracted with Navia prior to January 2020 also received notification about the potential compromise of their data.