Kelly Benefits data breach compromised nearly half a million individuals

Kelly & Associates Insurance Group said the data security incident it suffered in December compromised the sensitive personal information of almost half a million individuals.

 

In a data security incident notice filed with the Office of Maine Attorney General, Kelly & Associates Insurance Group, doing business as Kelly Benefits, said that on March 3, it identified suspicious activity in its internal network. The company immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“Our investigation determined our environment was subject to unauthorised access between December 12, 2024 and December 17, 2024 and certain files were copied and taken,” it said.

 

The compromised data included names, dates of birth, Social Security Numbers, tax ID numbers, medical information, health insurance information, and financial account information. Initially, Kelly Benefits, in its filing with the Maine state regulator, said that it has identified 263,893 individuals impacted by the incident. Later, on May 2, the company said 413,032 individuals were impacted by the data breach.

 

In a recent filing with the Maine state regulators, on May 30, the benefits administration provider said that the sensitive personal information of at least 488,139 people were affected by the breach.

 

The company also notified the Attorney General on behalf of several impacted customers, including Amergis, Beam Benefits, Beltway Companies, CareFirst, Quantum Real Estate Management, and more.

 

“Upon discovery, we reported this matter to the Federal Bureau of Investigation. As is our typical practice, we will continue to review our already robust security policies, procedures, and tools as part of our ongoing commitment to information security,” the benefits and payroll solutions provider added.

 

While Kelly Benefits found no evidence of the compromised information being misused, it advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general.

 

It has also offered one year of complimentary identity protection and credit monitoring services through IDX to all affected individuals.