The insurance company reported a breach of approximately 13,000 to the Maine Attorney General.
What happened
The Insurance Office of America (IOA) recently reported a data breach to the Attorney General of Maine on January 16th, 2026. The breach, which has reportedly impacted 12,913 individuals, was stated as discovered by IOA just five days earlier on January 11th. The breach occurred on June 25th, 2025, over a year prior.
Going deeper
According to the breach notice itself, the breach was discovered on June 30th, 2025, although the company used a different date in its disclosure to the Maine Attorney General. In the notice, IOA noted the unauthorized access occurred between June 25th and June 30th, resulting in names and other personal identifiers, which varied by individual, to be stolen.
While IOA has not stated the incident was a ransomware attack, ransomware group Daixin did take credit for the incident. The group had its first victim in 2022 and has been linked to several other attacks on healthcare organizations, such as Kentucky-based Communicare, Inc, and Acadian Ambulance.
Related: Daixin team targets 10 million Acadian Ambulance records.
In the know
Ransomware group Daixin rose to relative prominence in 2022, with the Cybersecurity & Infrastructure Security Agency (CISA) releasing guidance on responding to the actor. Since then, the threat actor hasn’t made significant waves, but is known to target business and healthcare organizations. According to the Cloud Security Alliance, Daixin generally obtains network credentials via phishing, and then accesses various systems using a VPN. While the breach against IOA was considered a network attack, the incident is a reminder that these breaches are often connected to stolen credentials, an issue frequently related to phishing, a lack of authentication measures, or poor password security.
The big picture
In response to the incident, IOA has taken steps to improve their security. In the company’s statement, they said to “help relieve concerns and restore confidence following this incident,” they will be offering free credit monitoring. Their statement highlights the consequences of data breaches, which can range from massive class action cases, to loss of reputation and trust, something that can similarly hurt a company’s financial standing.
Paubox specifically offers tools and software to help insurance organizations keep data secure and follow data privacy rules, including GLBA, HIPAA, and NAIC state regulations. Insurance companies are known for handling significant amounts of personal data, and keeping this data secure is necessary for a company’s success and for their client’s wellbeing.
FAQs
Why would IOA have different dates of discovery listed?
The IOA has two different dates of discovery; on the Maine Attorney General’s website, it’s listed as January 11th, while on the breach notice itself, it is listed as June 30th, 2025. The breach was likely discovered on the earlier date, but IOA may have delayed notification while the incident was being investigated.
What does IOA do?
According to their notice, IOA provides a variety of insurance-related services to varying organizations, like carriers, health plans, and employers. The nature of IOA’s work means they frequently handle personal and protected health information.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Abby Grifno
