Kelly Benefits data breach compromised over 250,000 individuals

Kelly & Associates Insurance Group said it experienced a data security incident in December that compromised the sensitive personal information of more than 250,000 individuals.

 

Headquartered in Sparks, Maryland, Kelly & Associates Insurance Group, doing business as Kelly Benefits, is a benefits administration company provides individual insurance, worker’s compensation, benefits administration, consulting, and workforce management solutions. 

 

In a data security incident notice filed with the Office of Maine Attorney General, Kelly Benefits said that on March 3, it identified suspicious activity in its internal network. The company immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“Our investigation determined our environment was subject to unauthorised access between December 12, 2024 and December 17, 2024 and certain files were copied and taken,” it said.

 

The compromised data included names, dates of birth, Social Security Numbers, tax ID numbers, medical information, health insurance information, and financial account information. Kelly Benefits said in its filing with the Maine state regulator that at least 263,893 individuals were impacted by the incident.

 

The company also notified the Attorney General on behalf of several impacted customers, including Amergis, Beam Benefits, Beltway Companies, CareFirst, Quantum Real Estate Management, and more.

 

“Upon discovery, we reported this matter to the Federal Bureau of Investigation. As is our typical practice, we will continue to review our already robust security policies, procedures, and tools as part of our ongoing commitment to information security,” the benefits and payroll solutions provider added.

 

While Kelly Benefits found no evidence of the compromised information being misused, it advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general.

 

It has also offered one year of complimentary identity protection and credit monitoring services through IDX to all affected individuals.

 

At the time of publishing, no known hacker group claimed responsibility for the cyber attack on Kelly Benefits. The company also did not share details on who was behind the attack, how much data was compromised, or whether it has received a ransom demand.