Blue & Co. Data Breach Exposes Social Security Numbers

On Nov. 7, 2024, Blue & Co., an accounting and consulting firm, experienced a data breach involving unauthorized access to one of its servers. The incident was discovered on Dec. 9, 2024, when an unauthorized actor claimed to have taken data from the company’s IT environment. Blue & Co. responded swiftly by isolating the affected server and launching an investigation with the help of third-party forensic specialists.

The forensic review determined that the unauthorized access lasted less than half an hour, during which time data was removed from the server. Following this, Blue & Co. engaged additional data review specialists to analyze the compromised files and identify what information was involved and to whom it belonged. This review was completed on May 20, 2025.

The breach exposed a wide range of sensitive consumer information. The types of personally identifiable information (PII) exposed include name, Social Security number, driver’s license number, passport number, individual tax identification number, financial account information (with or without access credentials), date of birth, and username/password.

In addition, the breach also involved protected health information (PHI) such as medical information, medical record number, diagnostic information, procedure type, admission date, patient identification number, Medicare identification number, billing and claims information, patient encounter number, treatment location, treatment cost, prescription information, mental or physical condition, treating or referring physician, diagnostic code, and health insurance information.

The breach was reported to the Massachusetts Attorney General on July 8, 2025. According to the official disclosure, at least one Massachusetts resident was affected. A subsequent disclosure was filed with the Vermont Attorney General on September 10, 2025. The cybersecurity incident was also disclosed to the Montana Attorney General's office and the New Hampshire Attorney General on Sept. 22, 2025.

Blue & Co's response

After learning of the breach, Blue & Co. took immediate action to contain the incident and prevent further unauthorized access. The company promptly isolated the affected server, launched a comprehensive investigation with external cybersecurity experts, and notified federal law enforcement as well as the U.S. Department of Health and Human Services.

To support individuals whose information may have been compromised, Blue & Co. began mailing notification letters on July 8, 2025. The company has offered affected individuals complimentary identity monitoring services through Kroll for a specified period. These services include single bureau credit monitoring, fraud consultation, and identity theft restoration. Impacted individuals are encouraged to activate these services by following the instructions provided in their notification letter.

Given the sensitive nature of the exposed information, Blue & Co. advises all potentially affected individuals to remain vigilant. Recommended actions include monitoring account statements, explanation of benefits, and credit reports for any suspicious activity. Individuals are also encouraged to consider placing fraud alerts or security freezes with the major credit bureaus. The company has published a dedicated notification page with further information and resources.