A major data breach at Kelly & Associates Insurance Group (dba Kelly Benefits) has impacted over 550,000 individuals after hackers accessed and stole sensitive files from the company’s IT systems in December 2024. The breach, which initially appeared to affect around 32,000 people, was later found to compromise the data of 553,660 individuals as the investigation progressed and more affected parties were identified.
Key details of the breach
The unauthorized access occurred between December 12 and 17, 2024. Kelly Benefits did not begin notifying affected individuals until April 2025, several months after the breach. The compromised data includes full names, dates of birth, Social Security numbers, tax identification numbers, health insurance and medical information, and financial account details. The breach affected clients of Kelly Benefits across more than 40 organizations, including major insurers and employers such as UnitedHealthcare, The Guardian Life Insurance Company of America, CVS Health, OneAmerica Financial Partners, Aetna, CareFirst, and others. The stolen files were reportedly unencrypted and unredacted, increasing the risk of identity theft and financial fraud for those affected.
Kelly Benefits has faced criticism for the delayed notification to victims and for allegedly inadequate security measures, with a class action lawsuit filed by affected individuals. The lawsuit alleges failure to protect sensitive data and to comply with both state and federal data protection requirements.
Impacts and risks
Those affected face heightened risks of identity theft, financial fraud, and misuse of medical information. As of now, no ransomware group has claimed responsibility for the attack, and the specific perpetrators remain unidentified.
