Blue & Co. Data Breach Exposes Social Security Numbers

On Dec. 9, 2024, accounting and advisory form, Blue & Co., discovered that an unauthorized actor had accessed one of its servers and removed data. The intrusion took place on or about Nov. 7, 2024, and lasted for less than half an hour.

Blue & Co. acted to isolate the affected server and engaged third-party forensic specialists to investigate. The investigation determined that the attacker had removed data from the server during the brief window of unauthorized access. A detailed review of the compromised data, completed May 20, 2025, revealed that personal and health information provided to Blue & Co. by certain client companies was impacted.

The types of information exposed include both personally identifiable information (PII) and protected health information (PHI): name, Social Security number, driver’s license number, passport number, individual tax identification number, financial account information (with or without access credentials), medical information, medical record number, diagnostic information, procedure type, admission date, patient identification number, Medicare identification number, billing and claims information, patient encounter number, treatment location, treatment cost, prescription information, mental or physical condition, treating or referring physician, diagnostic code, date of birth, username and password, and health insurance information.

Blue & Co. has not publicly stated the exact number of individuals affected, but the breadth of data types involved and the firm’s extensive client base suggest the impact could be significant. According to the official disclosure, there is no evidence so far that the stolen information has been used fraudulently.

Blue & Co's response

After detecting the unauthorized access, Blue & Co. immediately isolated the impacted server and began a thorough investigation with the help of third-party cybersecurity experts. The company also notified federal law enforcement and the U.S. Department of Health and Human Services about the incident.

To support those who may have been affected, Blue & Co. is sending direct notification letters to individuals whose data was involved, provided it has a valid mailing address for them. The company has established a dedicated assistance line at 866-819-2990, available Monday through Friday from 9 a.m. to 6:30 p.m. Eastern time, starting July 7, 2025. Additional information and updates are available at the Blue & Co. data breach notification page.

Given the sensitive nature of the information exposed—including Social Security numbers, financial account details, medical records and login credentials—affected individuals should take precautionary steps. Blue & Co. encourages vigilance for signs of identity theft or fraud by reviewing account statements, health insurance explanations of benefits, and credit reports. Individuals are also advised to consider placing fraud alerts or security freezes on their credit files and to report any suspicious activity to the appropriate institutions immediately. Contact information for the three major credit bureaus is included in the company’s notice.

More information about the company can be found on the Blue & Co. website.