BenefitElect Data Breach Exposes Sensitive Personal Information Including Social Security Numbers

On April 2, 2025, Coalesce LLC dba BenefitElect, an Oregon-based benefits administration and HR software provider, discovered suspicious activity within its systems that exposed personally identifiable information (PII) of at least 4,054 residents of Texas, 147 residents of Massachusetts, and two residents of New Hampshire.

The company determined that an unauthorized actor exploited a vulnerability in CrushFTP software, allowing files to be accessed and exfiltrated between March 30, 2025, and March 31, 2025.

The ransomware group Kill Security later claimed responsibility for the breach, stating on a dark web forum that they had obtained BenefitElect’s database and intended to publish it within a week.

A thorough investigation, aided by third-party cybersecurity specialists, revealed that the compromised files contained sensitive benefits eligibility and onboarding census information including names, addresses, dates of birth, social security numbers, health insurance information, and financial account information.

Beginning in October 2025, the company disclosed the data breach to the attorneys general offices in California (Updated), Massachusetts, New Hampshire (updated), Oregon, Texas, and Vermont. The U.S Department of Health and Human Services have also released a disclosure on October 15, 2025.

The company publicly acknowledged the incident and provided a detailed security incident notice on its website. Impacted individuals have been notified by mail.

BenefitElect's response

To support those affected, BenefitElect is offering complimentary credit monitoring and identity theft protection services through IDX. Impacted individuals received instructions and an enrollment code to activate these services. Affected individuals are encouraged to remain vigilant by monitoring account statements, reviewing credit reports and enrolling in the provided identity protection services.

Given the nature of the breach, a ransomware attack involving the exfiltration of files containing sensitive PII and financial information, affected individuals should consider placing a fraud alert or credit freeze with the major credit bureaus.

Regularly reviewing credit reports and promptly reporting any suspicious activity are also recommended steps.