Class Action Says Insurance Group's Negligence Prompted Data Breach

The breach exposed the personally identifiable information (PII) and protected health information (PHI) of more than 32,000 individuals. Case 25-00406 was filed in the U.S. District Court for Maryland.

Kelly Benefits "failed to adequately train its employees on cybersecurity, failed to adequately monitor its agents, contractors, vendors, and suppliers in handling and securing" the PII and PHI, the complaint said. Similarly, the company "failed to maintain reasonable security safeguards or protocols ... rendering it an easy target for cybercriminals."

The suit also took issue with the length of time the insurance company waited until it notified impacted individuals. "Kelly Benefits does not disclose how long it took it to discover the five-day data breach," the complaint said. "However, Kelly Benefits waited 118 days, from the date of the breach until April 9, 2025, before it finally began notifying Class Members about the Data Breach." In addition, it "failed to post a data breach notice on its website, which is common industry practice."

The Maine Office of the Attorney General reported that 263,893 individuals were impacted, including just more than 7,000 Maine residents. The AG site attached the notification letter Kelly Benefits sent to customers, which said the insurance company determined the breach occurred between Dec. 12, 2024 and Dec. 17, 2024.

It said Kelly Benefits informed the FBI about the incident and would continue reviewing "its already robust security policies, procedures, and tools as part of its ongoing commitment to information security." The company also offered free credit monitoring services for one year to impacted customers, though it did not divulge what information was potentially exposed during the breach.