Knowledge Breach Notification
,
Knowledge Safety
,
Healthcare
Nationwide Accident Well being Says Breach Uncovered Medical Information of 181,000 Folks
A Maine-based third-party administrator that handles healthcare claims involving day care facilities, youth sports activities and NCAA athlete accidents is notifying greater than 181,000 claimants that their medical data and private identifiers could have been accessed or stolen in an April hacking incident.
See Additionally: New Assaults. Skyrocketing Prices. The True Value of a Safety Breach.
Nationwide Accident Well being Normal Company, or NAHGA, describes itself as a third-party administrator that focuses on secondary accident insurance coverage claims processing for purchasers throughout the nation.
The corporate, which has been in enterprise greater than 30 years, handles claims involving specialty organizations and huge well being insurers that cater to day care facilities; youth sports activities and camps for Okay-12 college students; athletic applications such because the NCAA Divisions I, II and III; nationwide movie and tv productions; and motocross and brief monitor auto racing.
NAHGA, in a breach report submitted to Maine’s lawyer common on Friday, mentioned the hacking affected 181,160 folks.
In a breach discover posted on NAHGA’s web site, the corporate mentioned that on April 10, it “discovered” of bizarre exercise inside its community.
NAHGA mentioned it then instantly took measures to research the exercise and safe its programs.
With the assistance of third-party cybersecurity consultants, the investigation decided that an unauthorized particular person could have accessed or acquired sure information and knowledge saved inside NAHGA’s programs between April 8, and April 11.
“NAHGA performed an in depth evaluate of those programs with a purpose to determine the scope of the incident,” the corporate mentioned, including that it began sending breach notices to affected people with an accessible mailing handle on Nov. 14.
NAHGA’s evaluate of the compromised knowledge discovered that affected data could have included people’ title, Social Safety quantity, date of beginning, driver’s license quantity, medical insurance data and medical or therapy data.
NAHGA mentioned it has taken steps to reinforce its safety to assist cut back the danger of comparable incidents sooner or later.
NAHGA didn’t instantly reply to Data Safety Media Group’s request for added particulars involving the corporate’s breach.
A number of nationwide regulation companies in current days and weeks have issued public notices saying they’re investigating the NAHGA breach for potential class motion litigation. As of Monday, at the least one such federal proposed class motion lawsuit had been filed in opposition to NAHGA stemming from the incident.
That lawsuit alleges, amongst different claims, that NAHGA’s weak safety practices did not cease cybercriminals from accessing and exfiltrating the personally identifiable data and guarded well being data in its care.
“Due to defendant’s knowledge breach, the delicate PII/PHI of plaintiff and sophistication members was positioned into the fingers of cybercriminals – inflicting quite a few accidents and vital damages upon plaintiff and sophistication members,” the criticism alleges.
That lawsuit in opposition to NAHGA seeks monetary damages, together with compensatory and putative, as injunctive reduction requiring the corporate to higher shield plaintiffs and sophistication members’ private and well being data.
As of Monday, the NAHGA incident was not but posted on the U.S. Division of Well being and Human Providers’ HIPAA Breach Reporting Device itemizing main well being knowledge breaches affecting 500 or extra people.
Nonetheless, the NAHGA incident is amongst lots of of different giant breaches – together with hacking incidents – reported by third-party distributors and enterprise associates to the HHS Workplace for Civil Rights to this point in 2025.
The most important such HIPAA enterprise affiliate incident reported in 2025 to this point was a hacking incident at Episource, a medical coding and danger adjustment firm owned by well being insurer UnitedHealth Group’s Optum subsidiary (see: UnitedHealth Group’s Newest Well being Knowledge Breach).
That Episource breach, reported to HHS OCR on June 6, affected greater than 5.4 million folks. Episource in its breach discover mentioned that the corporate detected uncommon exercise on its laptop community on Feb. 6. The corporate mentioned its investigation into the incident decided that cybercriminals accessed and stole copies of some Episource knowledge between Jan. 27 and Feb. 6.
