Decisely Insurance Services notifies customers of breach affecting over 65K

What happened

Decisely Insurance Services, based out of Georgia, recently notified the Department of Health and Human Services as well as the Vermont Attorney General of a data breach impacted 65,405 individuals. 

The breach report was filed on June 13th, 2025 and Decisely Insurance also posted a notice to their website. 

Data involved in the breach included names, dates of birth, phone numbers, passport numbers, digital signatures, and/or Social Security numbers. 

Going deeper

In their notice, the vendor stated that the incident took place on December 16th, 2024, and was discovered the following day on December 17th. Through an investigation, cybersecurity experts determined that some information may have been acquired. 

Decisely began sending out notifications to impacted individuals on June 13th, 2025.

The insurance provider is considered a business associate because they work with protected health information on behalf of their clients, which are healthcare organizations, to process insurance claims. 

Although insurance agencies don’t provide direct care to patients, they must still follow HIPAA requirements because they are considered a covered entity. 

The big picture

Vendor attacks are a big issue in healthcare, as criminals often target vendors who may not treat healthcare data as securely as needed. Some vendors may not realize how valuable healthcare data is on the dark web, but they are still responsible for keeping it safe. Insurance companies, billing companies, and more may access data for various healthcare-related reasons. When a breach hits one of these vendors, it can be confusing for patients. Clear, direct communication is important to ensure patients are informed and trust is maintained. 

FAQs

Are business associates prone to data breaches? 

Any organization that works with protected health information could be the victim of a data breach. Business associates aren’t necessarily more prone to data breaches, but they are becoming more common. Healthcare organizations should ensure that every vendor they work with has high security standards and proper security software.

Who notifies patients of vendor breaches? 

The organization that sends notifications can depend on the situation. While in some cases the healthcare organizations send the breach notifications, in other cases, vendors will take on the responsibility themselves. In this case, Decisely Insurance decided to send the notices.