The Maryland-based insurance and benefits firm has confirmed that a December 2024 breach affected more than 550,000 people nationwide.
What happened
Kelly & Associates Insurance Group, known as Kelly Benefits, has confirmed that a data breach in December 2024 compromised the personal information of 553,660 individuals. The breach, which occurred between December 12 and 17, allowed unauthorized actors to access and steal files from the company’s systems.
Initial disclosures in April 2025 suggested just over 32,000 people were affected. That number was later revised multiple times as the company investigated the full extent of the breach. The updated total was formally shared with authorities and affected individuals.
Going deeper
Kelly Benefits provides a range of services, including benefits consulting, enrollment technology, payroll, HRIS, and carrier management. Because the company works with many organizations across the country, determining the breach’s reach proved complex. In total, 46 entities were impacted, including major insurers such as:
- United Healthcare
- Aetna Life Insurance Company (CVS Health)
- CareFirst BlueCross BlueShield
- Humana Insurance ACE
- The Guardian Life Insurance Company of America
- Mutual of Omaha Insurance Company
- OneAmerica Financial Partners, Inc.
The breach notification letters outline that exposed data may include full names, Social Security numbers, dates of birth, tax ID numbers, health insurance details, financial account information, and in some cases, medical data.
What was said
The general public notice urges impacted individuals to remain vigilant against phishing attempts, social engineering, and fraud. In response to the breach, Kelly Benefits is offering 12 months of free credit monitoring and identity theft protection through IDX. Customers are also advised to consider placing a credit freeze and regularly checking financial and insurance accounts for suspicious activity.
The big picture
The incident shows how third-party breaches can affect a broad network of organizations when personal and medical data is shared across insurers, employers, and vendors. In this case, reliance on a centralized provider like Kelly Benefits led to widespread exposure affecting multiple clients. The gap between breach discovery and complete reporting also points to the complexity of tracing data across interconnected systems, especially when multiple stakeholders are involved.
FAQs
Why did it take so long to identify the full number of affected individuals?
Kelly Benefits serves many organizations, and each has different types of data stored in separate systems. It took months to review logs, cross-reference files, and confirm affected individuals across 46 entities.
What kind of scams might follow a breach like this?
Victims may face phishing emails, fake calls posing as insurers, or fraudulent attempts to access bank accounts or health services using stolen identity data.
How can individuals freeze their credit reports?
Consumers can request a security freeze by contacting the three major credit bureaus (Equifax, Experian, and TransUnion). This prevents new credit from being opened in their name without approval.
What is IDX, and what does it offer?
IDX is a third-party identity theft protection provider. Impacted individuals will receive free credit monitoring, fraud resolution assistance, and insurance coverage for identity-related losses.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Farah Amod
