A data breach at the benefits administrator Navia has affected nearly 2.7 million people after hackers exploited its application programming interface (API).
Navia Benefit Solutions administers various programs, including Health Reimbursement Arrangements (HRAs), Flexible Spending Accounts (FSAs), Dependent Care Assistance Program (DCAP), and COBRA benefits.
The Renton, Washington-based company learned of the data breach in late January 2026 and launched an investigation to determine the scope of the incident and the affected individuals.
Navia confirms data breach affected nearly 2.7 million people
Navia’s investigation determined that unauthorized access occurred between December 22, 2025, and January 15, 2026, and potentially resulted in the exfiltration of sensitive personal data.
“On January 23, 2026, Navia discovered suspicious activity related to our environment. Navia promptly responded and launched an investigation to confirm the nature and scope of the incident,” the company stated.
According to a March 13, 2026, data breach notification, the cyber intrusion leaked personal data, including names, phone numbers, email addresses, and Social Security Numbers.
Third-party providers also reported that additional personal details were leaked for some individuals, including dates of birth, Navia ID numbers, employee IDs, and enrollment start and end dates.
However, the data breach did not leak claims data or financial account information, such as bank account details or debit and credit card numbers. Nevertheless, claims metadata was exposed, but generally poses a lower risk than the claims data itself.
According to a data breach filed with the Office of the Maine Attorney General, the data breach potentially affected 2,697,540 people. Navia serves about 10,000 clients across multiple states and has more than 1 million subscribers. Subsequently, the data breach affected current and former beneficiaries and spanned up to seven years, according to some affected clients.
Meanwhile, Navia has implemented additional security measures to enhance the security of its environment to prevent a similar data breach in the future. The company has also reinforced its API authorization and enabled multifactor authentication. Navia also enforced strict data access controls to prevent unauthorized access to sensitive personal information.
Additionally, the Washington Health Care Authority, which shares data with Navia, stated that the benefits administrator will begin deleting data for accounts that have been inactive for 8 years or for which the subscriber did not select a DCAP or FSA in the previous year.
Similarly, the company has notified federal law enforcement authorities and the Department of Health and Human Services (HHS) in compliance with its HIPAA reporting obligations.
“Navia Benefit Solutions has disclosed a significant data breach impacting 2.7 million individuals, exposing sensitive health plan details and Social Security numbers through an exploited API,” explained Damon Small, Board of Directors, Xcape. “The unauthorized access occurred over a three-week window, compromising data from over 10,000 employer clients and affecting records as far back as 2018.”
So far, Navia has found no evidence that the stolen information has been shared or misused. Typically, cybercriminals demand a ransom and threaten to publish the stolen information on illegal data leak sites if the victim organization refuses to pay.
As a precautionary measure, the company is offering 12 months of complimentary credit monitoring and identity theft protection through Kroll to protect potentially impacted victims from fraud.
Navia also advised them to monitor their credit reports for any suspicious activity. They should also consider placing fraud alerts to prevent cybercriminals from using their stolen personal details to obtain loans through impersonation.
Yet another healthcare data breach
Healthcare providers and their technology partners are attractive targeted by cybercriminals due to the vast amounts of sensitive personal data they collect and store.
Earlier in March 2026, a data breach impacted Cognizant-owned TriZetto, a billing systems provider for various healthcare practices and health technology systems operators. It compromised the personal information of approximately 3.4 million individuals.
Cegedim Santé’s MonLogicielMedical (MLM) software, a French centralized health information management system, also suffered a data breach that exposed the personal information of 15 million people, including their HIV status and sexual orientations.
“Benefits administrators keep showing up in breach reports,” noted Denis Calderone, CTO, Suzu Labs. “TriZetto, Landmark, Carruth, now Navia. It makes sense considering the wealth and depth of healthcare data held by these back-office companies that aggregate sensitive data from thousands of employers in one place. Why go directly to the hospitals and insurers when you can hit many sources all at the same time.”
“What makes Navia different from the rest is the method. This wasn’t ransomware and it wasn’t a network compromise. A read-only API flaw gave someone 24 days of clean, silent access to 2.7 million records. No malware, no lateral movement, no privilege escalation. Manipulate an API endpoint like that and you’re effectively sitting at the database. The attacker is leveraging the trust granted to the application interface, so it’s difficult to see the attack and to stop it,” noted Calderone.
