Cyber Incident Victim: Navia Benefit Solutions
Date:
Jan 2026
Location:
United States of America
Summary
Navia Benefit Solutions discovered unauthorized access to its systems after noticing unusual activity, and an investigation found that an attacker had accessed the network for several weeks, acquiring personal data including names, dates of birth, Social Security numbers, phone numbers, email addresses, and health plan information. The breach affected more than 2.6 million individuals, among them nearly 300 employees of HackerOne who receive benefits through the company. Navia notified the Maine Attorney General’s Office and began informing impacted individuals, stating it had no evidence of misuse of the exposed data. A national class action law firm is investigating potential claims on behalf of those whose information may have been compromised.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 23, 2026, Navia Benefit Solutions discovered unauthorized access to its systems and subsequently determined that an attacker had maintained access from December 22, 2025, through January 15, 2026. During this period the intruder acquired personal data including names, dates of birth, Social Security numbers, phone numbers, email addresses, and health plan information. Navia reported to the Maine Attorney General’s Office that nearly 2.7 million individuals were affected by the breach. The company describes itself as a nationwide administrator of health and financial benefit programs for over 10,000 employers and more than one million participants.
HackerOne announced that it was notifying nearly 300 of its employees that their personal information may have been exposed, later specifying that Navia indicated the information of 287 employees could have been impacted. HackerOne said it received Navia’s breach notification dated February 20, 2026, but the notice was not delivered until March. Navia stated that it has no evidence of any attempted or actual misuse of the exposed data, noting that this is a standard disclosure. Edelson Lechtzin LLP, a national class action law firm, announced it is investigating data privacy claims against Navia Benefit Solutions on behalf of persons whose sensitive personal data may have been compromised.
Following the discovery of unusual activity on or around January 23, 2026, Navia launched an internal investigation and reported the incident to the Maine Attorney General’s Office. HackerOne said it will conduct its own investigation to assess the incident, is actively communicating with Navia to understand how and why the breach occurred, and will evaluate Navia’s privacy and security policies and practices, indicating it may consider alternative benefits providers if unsatisfied. Edelson Lechtzin LLP said it is pursuing a class action lawsuit seeking legal remedies for individuals whose data may have been compromised in the Navia breach.