Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

1 min read

VeriSource breach fallout grows

Picture of Kirsten Peremore Kirsten Peremore May 02, 2025

Breaches
VeriSource breach fallout grows

In February 2024, Houston-based VeriSource Services, a company that provides employee benefits administration services, experienced a cybersecurity incident involving unauthorized access to sensitive data.

 

What happened 

Initially, in an August 2024 filing with the U.S. Department of Health and Human Services Office for Civil Rights, VeriSource reported that approximately 112,000 individuals were affected. However, after a year-long investigation involving coordination with its client companies, the company updated its findings in a filing with the Maine Attorney General's Office on April 23, 2025. 

This new disclosure revealed that the personal data of approximately 4 million individuals had been accessed by anunknown actor.The compromised information may include names, addresses, dates of birth, genders, and Social Security numbers, although not all data elements were taken for each person. 

VeriSource stated it had worked with the FBI since the breach and claimed there was no evidence of the stolen data being misused. Nevertheless, the company began notifying affected individuals in April 2025 and is offering credit monitoring and identity theft protection services for 12 or 24 months.

 

What was said 

According to the online version of the notification letter,The privacy and protection of personal and protected health information is our top priority, and [VeriSource] deeply regrets any inconvenience or concern this incident may cause.”

 

Why it matters 

Healthcare organizations often depend on vendors like VeriSource to manage employee benefits and protected health information, so a breach at such a provider can directly compromise HIPAA-protected data. Under HIPAA rules, covered entities must ensure their business associates implement adequate security controls, and breaches of this magnitude typically trigger investigations by the HHS Office for Civil Rights and expose organizations to potential civil monetary penalties. Incidents of this scale also undermine patient and employee trust, as individuals may become reluctant to share sensitive health details if they worry about data security. 

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

 

FAQs

What is a healthcare data breach?

A healthcare data breach occurs when protected health information (PHI) is accessed, acquired, or disclosed without authorization, compromising its confidentiality, integrity, or availability. 

 

What are the HIPAA breach notification requirements?

Covered entities must notify the Secretary of HHS and affected individualswithout unreasonable delay,and in no case later than 60 calendar days after discovering a breach affecting 500 or more individuals. 

 

What types of information are most commonly exposed?

Hacking and IT incidents account for the majority of healthcare breaches, often targeting email systems and network servers where PHI is stored. Unauthorized internal disclosures and physical theft/loss of devices also contribute.

Send PHI securely—No portals required The all-in-one email security suite for healthcare. HIPAA compliant email with Google and Microsoft.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.