Kelly & Associates Insurance Group, Inc. has been hit with a hacking incident, impacting approximately 32k.
Kelly & Associates Insurance Group, Inc., which operates as Kelly Benefits, has recently notified the public and the Department of Health and Human Services (HHS) of a data breach. The insurance group classified the breach as a “hacking/IT incident” and reported that it impacted 32,234 individuals.
According to the notice, Kelly Benefits learned of suspicious activity at an undisclosed time, prompting the group to investigate the incident. Through the investigation, the company determined that their IT environment was accessed between December 12th, 2024, and December 17th, 2024, with some files being copied and taken.
Kelly Benefits reviewed the impacted files and completed their analysis on March 3rd, 2025. Impacted information varies, but may have included names, Social Security numbers, tax ID numbers, dates of birth, medical information, health insurance information, and financial account information.
The insurance company said they provided notice to carriers and clients and also offered to provide notice regarding the incident. Impacted individuals have or will receive mailed letters with information about the incident.
Kelly Benefits said they take “the confidentiality, privacy, and security of information in its care seriously.” The group added, “As is our typical practice, Kelly Benefits will continue to review our already robust security policies, procedures, and tools as part of our ongoing commitment to information security.”
The Maryland-based insurance group will be providing data breach notifications to the follow organizations: Amergis, Beam Benefits, Beltway Companies, LLC, CareFirst BlueCross BlueShield, The Guardian Life Insurance Company of America, Intercon Truck of Baltimore, Inc., Publishers Circulation Fulfilment, Inc., Quantum Real Estate Management, LLC, and Transforming Lives Inc.
Ultimately, business associates can be just as vulnerable to data breaches as healthcare organizations. Insurance companies may find themselves further targeted if they have additional information, like financial or tax-related information, from their clients. Kelly Benefits also clearly articulated who would be distributing breach notifications, which can be helpful as individuals wait to hear if they were impacted. While Kelly Benefits has done their best to respond to the breach, having the best cybersecurity standards and software can make a huge difference in preventing breaches from occurring.
If an organization receives protected health information (PHI) from a covered entity (health plans, health care clearinghouses, and certain health care providers), it must comply with HIPAA requirements to safeguard that information.
Organizations must send out notices to impacted individuals, however, it’s up to the business associate and the organization they work with to determine who will provide the breach notice. In this case, Kelly Benefits will be notifying some individuals, while the organizations they work with will be notifying others.