Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Mar 20, 2026 · 5 min read

Your Health Benefits Administrator Lost 2.7 Million SSNs—And Took Two Months to Tell You

Navia Benefit Solutions, a third party administrator handling FSAs, COBRA, and health reimbursement accounts for 10,000 companies, was breached for 24 days before anyone noticed. The stolen data goes back to 2018.

You probably have never heard of Navia Benefit Solutions. But if your employer offers flexible spending accounts, COBRA continuation coverage, or health reimbursement arrangements, there is a reasonable chance Navia manages them. The company administers benefits for over 10,000 organizations and enrolls roughly one million participants in its programs.

On March 19, 2026, Navia disclosed that hackers had been inside its systems for 24 days, from December 22, 2025, through January 15, 2026. In that window, they accessed records belonging to 2,697,540 people, including Social Security numbers, dates of birth, phone numbers, email addresses, and detailed health plan enrollment information dating back to 2018.

A medical insurance card and health documents scattered on a desk with a digital lock broken open representing a healthcare data breach

24 Days of Access, Two Months of Silence

The timeline tells the story. Unauthorized access began on December 22, 2025. It continued through the holidays and into the new year, ending on January 15, 2026. Navia says it detected suspicious activity on January 23, eight days after the intruder left. The company did not begin notifying affected individuals until March 18, 2026, nearly two months after discovery.

This notification gap is a recurring problem in healthcare breaches. Federal regulations under HIPAA require covered entities to notify individuals within 60 days of discovering a breach, but that still gives attackers months to use stolen data before victims learn they need to act.

What Was Stolen

The compromised data includes:

  • Full names and dates of birth
  • Social Security numbers
  • Phone numbers and email addresses
  • Health plan enrollment details, including FSA, HRA, COBRA, and dependent care accounts
  • Plan termination and election dates

Navia says no claims data or financial information was accessed. But the combination of SSNs, dates of birth, and health plan details is more than enough for identity theft. Someone with your SSN and date of birth can open credit accounts, file fraudulent tax returns, or gain access to other financial services in your name.

The Third Party Problem

Most people choose their employer, not their benefits administrator. You have no say in which company processes your health spending accounts, and you may never interact with them directly. But those companies hold some of your most sensitive data: your SSN, your dependents' information, your health plan choices, and how much you spend on medical expenses.

This breach follows a pattern of third party administrator failures in healthcare. Last year, 1.2 million patients' records were exposed through a tracking pixel at Legacy Health. The Marquis Financial Group breach affected 80 banks through a single vendor compromise. In each case, the organization you trusted was not the one that lost your data. A vendor you never chose was.

Who Is Affected

Navia serves clients nationwide, but the breach has particularly impacted Washington state. Approximately 35,000 union workers in Washington, including school district employees and their families, had their PEBB and SEBB health plan data compromised through the breach. The Washington State Health Care Authority confirmed the incident affected members of both the Public Employees Benefits Board and the School Employees Benefits Board programs.

Because the stolen records date back to 2018, even former participants who changed employers years ago may be affected. If you had an FSA, HRA, COBRA, or dependent care account through any of Navia's 10,000 client organizations at any point since 2018, your data could be part of this breach.

Legal Consequences Are Already Building

Multiple class action lawsuits have been filed against Navia in the days since the disclosure. Attorneys are investigating whether the company failed to implement adequate security controls, delayed notification unreasonably, or violated state and federal data protection requirements. The incident has been reported to the Maine Attorney General's Office, federal law enforcement, and the U.S. Department of Health and Human Services.

What You Should Do

If you think you may be affected:

  • Place a credit freeze with all three bureaus (Equifax, Experian, TransUnion). This is the single most effective step you can take to prevent new accounts from being opened in your name
  • Request your free annual credit report and check for unfamiliar accounts or inquiries
  • File an identity theft report with the FTC at IdentityTheft.gov if you see any fraudulent activity
  • Watch for phishing emails that reference health benefits, FSA balances, or COBRA enrollment. Attackers now have enough detail to craft highly convincing messages
  • Ask your employer's HR department whether Navia administers any of your benefits, since the company may not have notified you yet

The uncomfortable reality of third party breaches is that you cannot choose who handles your data, but you still bear the consequences when they lose it. A credit freeze costs nothing and takes minutes. It is the minimum baseline everyone should have in place regardless of whether they know they have been breached.