In August 2024, the Alera Group, the company responsible for administering healthcare benefits for Ulster County government employees, experienced a data breach affecting its computer systems.
The company did not confirm the extent of the breach until April 2025, leaving a gap in response time. Despite this confirmation in April, county employees were not notified until August 2025, nearly a full year after the breach occurred. When the breach was finally disclosed, Alera sent letters by mail to impacted employees and offered 24 months of complimentary credit monitoring through a third-party provider. Ulster County Executive Jen Metzger publicly condemned the delay, calling it “inexcusable” and stating that Alera should have enrolled employees in credit monitoring immediately after the incident.
County Comptroller March Gallagher also criticized the response, noting that employees received multiple notifications from other entities not under contract with Ulster County, suggesting that several organizations had access to employee data through Alera. Both Metzger and Gallagher signaled the county’s intent to investigate the breach’s scope and hold Alera accountable for its handling of the incident.
A Mid Hudson News story on the breach reported that in an email to county staff, County Executive Jen Metzger said, “Immediate action should have been taken by the Alera Group to enroll employees in credit monitoring at the point of the data breach. The Alera Group’s response to this cybersecurity breach falls short of what we would expect from the administrator of our employees’ healthcare benefits, and must be held accountable.”
A county data breach, especially one involving an administrator like Alera Group that manages employee healthcare benefits, can create ripple effects that directly impact healthcare organizations in the county. When sensitive employee data is exposed, the risk of identity theft, insurance fraud, and unauthorized access to medical services increases.
Healthcare organizations within the county could face fraudulent insurance claims, disrupted billing processes, and increased administrative burdens from verifying patient identities and preventing misuse of benefits.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
A data breach happens when sensitive, protected, or confidential information is accessed, viewed, stolen, or used by an unauthorized individual. This often involves personal data like names, Social Security numbers, health records, or financial details.
Breaches can occur through hacking, phishing emails, malware, system vulnerabilities, or even human error, like sending sensitive information to the wrong person or losing a laptop.
The impact can be immediate or delayed. Stolen data may be sold or used months or even years later, so it's important to stay alert over time.