Healthcare consulting company Phia Group says 2024 data breach impacted over 120,000 people

The Phia Group, a healthcare consulting and cost-containment company, recently announced that a data security incident it experienced in 2024 compromised sensitive personal information of more than 120,000 individuals.

 

Headquartered in Massachusetts, the Phia Group is a healthcare consulting and cost-containment firm that helps health plans, employers, and insurers manage medical claims and reduce healthcare costs. The company’s services include reimbursement recovery, subrogation, and compliance consulting.

 

In a data security incident notice published on its website, the group said that on July 9, 2024, it detected suspicious activity on its computer network which temporarily disrupted network operations. The company immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“The investigation determined that some data may have been acquired between July 8, 2024 and July 9, 2024. We then completed a comprehensive and thorough review of the data potentially involved to identify what personal information was impacted and to whom it belonged. 

 

“On December 4, 2025, we advised applicable clients and partners (Business Associates) that information regarding some of their health benefit plan(s) and/or plan clientele (Covered Entities) and plan participants may have been affected,” Phia said.

 

The compromised data included names, addresses, dates of birth, medical information, prescription information, health insurance information, provider information, treatment information, lab results, patient account and medical record numbers, Medicare/Medicaid information, driver’s license or state identification card numbers, other government issued identifications, financial account information, and Social Security numbers.

 

In a regulatory filing with the Office of the Attorney General of Texas, Phia said that it has identified at least 121,354 individuals who were impacted by the data security incident.

 

While the healthcare consulting firm found no evidence of the compromised information being misused, it advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general. It has also offered complimentary identity protection and credit monitoring services through Kroll to all affected individuals.

 

At the time of publishing, no known hacker group claimed responsibility for the cyber attack on the Phia Group. The company also did not share details on who was behind the attack, how much data was compromised, or whether it had received a ransom demand.