Navia Benefit Solutions announces breach impacting nearly 3 million

The employee benefits service provider faced a breach that lasted approximately three weeks, impacting millions of clients.

What happened

Navia Benefit Solutions, a Washington-based company that provides employee benefits administration services, recently began alerting employees of a large data breach. In Navia’s published notice, the company said they first discovered suspicious activity on January 23rd, 2026. Through an investigation, Navia determined an unauthorized actor had infiltrated and acquired data between December 22nd, 2025, and January 15th, 2026. Data involved included names, dates of birth, Social Security numbers, phone numbers, email address, and some health insurance information, like enrollment in the Consolidated Omnibus Budget Reconciliation Act (COBRA).

In a report to the Maine Attorney General, Navia stated 2,697,540 individuals had been impacted.

Why it matters

Navia is one of the largest administrators of benefits, providing services to over 10,000 different employers across the US. While the breach didn’t result in the disclosure of financial information, the data included could still be enough to deploy various phishing and social engineering attacks against victims.

According to the Identity Theft Resource Center’s 2025 annual data breach report, published earlier this year, 88% of individuals who received a data breach notice experienced at least one negative consequence following the incident. 40% noted an increase in phishing or scam attempts, 49% experienced an increase in spam or robocalls, and 40% said they experienced an actor attempting to take over their account. While this can be a distressing experience for victims, it also has a direct impact on organizations. The potential for a breach to lead to real harm can directly influence a settlement agreement, as organizations may be liable to pay for damages caused.

The big picture

While Navia isn’t a healthcare organization, as a benefits administration service, the organization handles a significant amount of private data that could constitute a HIPAA violation or be valuable on the dark web. Breaches against business associates like Navia are fairly common, especially as many healthcare organizations don’t realize the oversight needed to ensure data remains secure.

One recent Paubox report noted that many organizations’ relationships with business associates appear compliant on paper, but may not be following through on compliance promises. For instance, HIPAA mandates organizations sign a business associate agreement (BAA) with partners that handle protected health information (PHI), outlining how the vendor will ensure data security. While signing this agreement is critical, organizations must make sure these promises are followed through.

FAQs

Will Navia or employers notify impacted individuals?

When business associates are involved in a data breach, the associates generally coordinate with their business partners (in this case the employers) to determine who should send the notices. In this case, Navia stated they began mailing out notices on March 18th.

Is this breach considered a violation of HIPAA?

While Navia is considered a business associate, rather than a covered entity themselves, the incident could constitute a HIPAA breach because PHI, like health insurance information, was involved in the incident.