Alera Group Data Breach Exposes Social Security Numbers

On April 28, 2025, Alera Group Inc. discovered a data breach impacting several thousand individuals across the United States. An investigation revealed a major cybersecurity incident occurred between July 19, 2024 and Aug. 4, 2024 when an unauthorized actor gained access to the company's network.

The exposed data includes a wide range of personally identifiable information (PII) such as names, addresses, demographic details, dates of birth, Social Security numbers, driver’s license numbers, financial account and credit card information, passport numbers, and other government-issued IDs (including state, military, tribal, or taxpayer identification numbers).

Additionally, protected health information (PHI) was compromised, including medical history, conditions, diagnoses, medications, treatment or testing details, medical record numbers, insurance or claims data, health insurance information, Medicare/Medicaid IDs, as well as electronic/digital signatures, biometric data, and username and password information.

The data breach impacted individuals who received services from Alera Group, its clients, or third-party providers and current and former employees and dependents. Alera Group disclosed the cybersecurity incident to the U.S. Department of Health and Human Services on July 29, 2029, reporting 155,567 individuals impacted.

The breach affected multiple states, including 27,725 Washington residents, four in Maine, 8,014 in Iowa, 257 in Texas, 458 in Massachusetts, 829 in Montana, 8,113 in South Carolina and one in New Hampshire.

The incident was also reported to several state attorney generals' offices, including Washington, Maine, Texas, Massachusetts, California, Vermont, Iowa, South Carolina, Montana and New Hampshire. Alera Group notified affected consumers in writing on May 21, 2025 and published a Notice of Privacy Event on its website the same day.

Alera Group's response

After discovering the breach, Alera Group took steps to secure its systems and began an investigation to determine the scope and impact of the incident. The company has provided details about the breach on its privacy incident page, where affected individuals can find more information and updates.

If you have received a written notice from Alera Group regarding this breach, it is important to take the following steps:

1. Carefully review the notification letter for specific instructions and resources offered by Alera Group.
2. Monitor your financial accounts, credit reports, and health insurance statements for any unusual or unauthorized activity.
3. Consider placing a fraud alert or credit freeze with major credit bureaus to help protect your identity.
4. Be cautious of phishing attempts or suspicious communications that may reference this incident.
5. If your Social Security number or other government-issued identification was exposed, consider contacting the appropriate agencies to discuss additional protective measures.

More information about the company can be found on the Alera Group website.