Kelly & Associates Insurance Group, also known as Kelly Benefits, has confirmed that more than 413,000 individuals were affected by a cyberattack on its systems in December 2024. This marks the second major revision to its original breach notification. When Kelly Benefits first disclosed the breach in April 2025, it estimated that 32,234 people had been impacted. Two weeks later, that number was updated to 263,893. As of early May, the confirmed total has risen again to 413,032, and the company warns the final number could grow even higher.
The breach occurred between December 12 and December 17, 2024, and involved unauthorized access to Kelly Benefits’ internal network. During that window, attackers copied sensitive files containing personal data. The breach was detected on December 17, and a forensic investigation was completed by March 3. Affected individuals began receiving notification letters on May 2, 2025.
The compromised data varies by individual and may include names, birth dates, Social Security numbers, financial account details, health insurance data, and medical information. Victims are being offered 12 months of free credit monitoring and identity theft protection. Kelly Benefits has since added a dozen more client organizations to its list of affected entities, including Virtua Health, Skyline Technology Solutions, and the University of Maryland Medical System.
As the breach footprint widens, so does the legal fallout. Over a dozen class action lawsuits have already been filed, with more likely to follow as additional victims are identified.
Kelly Benefits has stated that it “acted swiftly” upon discovering suspicious activity and brought in third-party cybersecurity experts to investigate. While no public statement has addressed the exact cause of the breach or whether ransomware was involved, the company acknowledged that files were successfully exfiltrated during the attack.
Lawsuits filed so far allege negligence, failure to secure personal data, and delays in notifying victims. Attorneys representing breach victims argue that the company’s safeguards were inadequate given the sensitive nature of the data it handles.
The growing scale of the Kelly Benefits breach proves the cascading risks of third-party data breaches, especially when service providers manage sensitive data for healthcare, insurance, and payroll companies. As seen in other recent attacks, delays in detection and notification only deepen the damage, both for individuals and for the organization’s legal and financial exposure.
Initial estimates only covered early findings; as forensic investigators reviewed more systems and client files, the scope of the breach expanded significantly.
Organizations that used Kelly Benefits, like Virtua Health and the University of Maryland Medical System, are now seeing their own members caught in the fallout.
The stolen data includes not just personal identifiers but also health and financial information, increasing risks of identity theft and medical fraud.
Several class action lawsuits are underway; outcomes may result in financial compensation depending on court rulings or settlements.
Vetting should go beyond certifications, demand clear incident response plans, breach history transparency, and advanced data segmentation practices.