Insurance technology provider Illumifin says November data breach impacted 98,000 individuals

American insurance technology company Illumifin Corporation said a cyber attack on its systems in November compromised vast amounts of client data, including the personal data of about 98,000 individuals.

 

The Woodbury, Minnesota-headquartered company, which provides insurance technology and administrative services to the insurance sector, said the data security incident occurred on November 4 and involved malicious actors gaining unauthorised access to a portion of its information technology network.

 

When it discovered the unauthorised activity, Illumifin Corporation quickly severed the third-party access to its systems and launched an investigation with help from a third-party forensics firm to determine the nature and scope of the malicious cyber activity.

 

On November 10, the investigation was able to determine that the malicious actors had accessed and exfiltrated certain files stored in the company’s computer systems. The compromised data included certain files that Illumifin had obtained from its clients in the insurance business to provide administrative services.

 

"We conducted a comprehensive review and analysis of the files to determine what information they contained. We informed [redacted client name] of the incident on January 9, 2026, and, following completion of our comprehensive review, provided them with their list of affected individuals on or around February 25, 2026," Illumifin said.

 

"We regret that this incident occurred and apologize for any inconvenience. We wanted to notify you of this incident and assure you we take this matter very seriously," the company said in a letter addressed to affected customers.

 

"To help prevent a similar incident from occurring in the future, we have implemented, and will continue to adopt, additional safeguards to further protect and monitor our systems," it added. The company notified the Attorney Generals of California and Oregon that the data breach compromised the data of 97,781 individuals.

 

The company has not offered complimentary identity protection or credit monitoring services to affected individuals, but has advised them to obtain a free copy of their credit report which every US citizen has the right to obtain once in every 12 months. The company has also advised affected individuals to report incidents of identity theft to the Federal Trade Commission or their state Attorney General’s offices.