A Washington-state benefits administrator has disclosed one of the larger healthcare-adjacent data breaches of 2026. Navia Benefit Solutions, which manages flexible spending accounts, COBRA administration, and health reimbursement arrangements for roughly 10,000 employers nationwide, confirmed that unauthorized actors spent nearly a month moving through its systems before being detected — potentially acquiring sensitive data on 2,697,540 individuals.

What Happened

On January 23, 2026, Navia detected unusual activity in its network environment. A forensic investigation that followed determined that an unauthorized threat actor had been inside the company’s systems for 25 days — from December 22, 2025 through January 15, 2026 — before the intrusion was caught.

During that window, the attacker potentially exfiltrated participant records. The exact method of initial access has not been publicly disclosed, and as of mid-March 2026, no ransomware group or known threat actor has claimed responsibility for the incident.

Navia notified the U.S. Department of Health and Human Services and began mailing notices to affected individuals on March 18, 2026 — roughly eight weeks after detecting the breach. The company also reported the incident to the Maine Attorney General’s Office, which put the confirmed affected count at 2,697,540 people.

What Data Was Exposed

According to Navia’s official breach notice and filings with state attorneys general, the following data types were potentially acquired:

  • Full name
  • Date of birth
  • Social Security number
  • Phone number
  • Email address
  • Health plan details — including information related to COBRA coverage, flexible spending accounts (FSAs), and health reimbursement arrangements (HRAs)

Navia confirmed that financial account numbers and medical claims data were not compromised. That’s a partial silver lining, but the combination of SSNs, dates of birth, and health plan participation data gives bad actors more than enough to pursue identity theft, targeted phishing, and benefits fraud.

Who Is Affected

Navia serves as a third-party benefits administrator for approximately 10,000 employer clients and enrolls around 1 million active participants in its programs. The breach figure of 2.7 million suggests the exposure extends well beyond current active participants — likely reaching former employees, COBRA recipients, and past plan members whose records were retained in Navia’s systems.

If you or your employees have ever participated in a Navia-administered benefits plan — particularly an FSA, HRA, or COBRA program — there is a reasonable chance your data was accessible during the breach window.

Navia began sending breach notification letters by mail in mid-March 2026. If you haven’t received one but believe you may be affected, you can check Navia’s website for details. Multiple class action law firms, including Lynch Carpenter, LLP, are already investigating claims on behalf of affected individuals.

What To Do Now

If you received a breach notification letter from Navia — or suspect your information was included — take these steps immediately:

  • Enroll in the free identity monitoring. Navia is offering 12 months of complimentary identity monitoring and credit protection through Kroll. Take them up on it. The enrollment details should be in your notification letter.
  • Place a credit freeze. Contact all three major bureaus — Equifax, Experian, and TransUnion — and freeze your credit. This blocks new accounts from being opened in your name without your explicit unfreezing of the file. It’s free and reversible.
  • Set a fraud alert. As a complementary step, place an initial fraud alert with one bureau (it propagates to the others). This requires lenders to verify your identity before extending credit.
  • Watch for phishing. Attackers who acquire health plan details often use that information to craft convincing phishing emails impersonating insurers, benefits administrators, or the IRS. Be suspicious of any unsolicited contact referencing your benefits, FSA, or COBRA status.
  • Review your benefits accounts. Log in to any FSA or HRA accounts you hold and review transaction history for unauthorized claims or reimbursements.
  • Pull your credit reports. Visit AnnualCreditReport.com and pull reports from all three bureaus. Look for accounts, inquiries, or addresses you don’t recognize.

The Bottom Line

The Navia breach follows a familiar and frustrating pattern: a third-party administrator holding sensitive data on millions of people, a prolonged undetected intrusion, and a disclosure timeline that leaves affected individuals months behind the attackers. The 25-day dwell time before detection is particularly concerning — that’s a long window for data exfiltration, and Navia has acknowledged the attacker “potentially acquired” records, which is corporate disclosure language for “we can’t rule out that everything was copied.”

Benefits administrators occupy an awkward middle ground in the healthcare data ecosystem. They handle highly sensitive PII and limited PHI on behalf of employers, but they often fall outside the most rigorous HIPAA enforcement focus that applies to covered entities like hospitals and insurers. That makes them an attractive target for attackers who want rich identity data with somewhat less organizational friction.

If you’re an IT or security professional managing benefits for your organization, this is a good moment to audit which third-party administrators hold employee data, what contractual security obligations they have, and whether your incident response plan accounts for breaches at benefit vendors. For everyone else: freeze your credit, enroll in the monitoring, and keep an eye out for suspicious communications referencing your health benefits.