CRC Insurance Data Breach Exposes Social Security Numbers

CRC Insurance Services, LLC, a leading wholesale insurance broker and subsidiary of CRC Group, experienced a significant data breach that affected consumers in multiple states. On Feb. 19, 2025, CRC discovered that unauthorized access to its computer systems had occurred. A subsequent investigation revealed that, on Feb. 3, 2025, data was accessed and acquired without authorization from a file server used by employees in one of its local offices.

The types of personally identifiable information (PII) compromised include names, addresses, Social Security numbers, dates of birth, driver’s license numbers and financial account details such as credit or debit card numbers. In addition, some protected health information (PHI) was also exposed, including medical records and medical information.

According to disclosures filed with state authorities, 1,701 Texas residents, 175 Massachusetts residents and 33 New Hampshire residents were affected. The breach was reported to the Massachusetts Attorney General’s office on June 27, 2025, to the Texas Attorney General’s office on July 1, 2025, and to the New Hampshire Attorney General’s office on July 10, 2025.

The breach was the result of unauthorized access to a file server, but the notice does not specify whether the attack was due to phishing, malware, or another method. Law enforcement was notified, and CRC engaged a third-party cyber forensic expert to investigate, contain and remediate the incident. The severity of this breach is high due to the exposure of both PII and PHI, which can increase the risk of identity theft and fraud for those affected.

CRC Insurance Services' response

In response to the incident, CRC Insurance Services took action to investigate and contain the breach with the help of a third-party forensic firm. The company also notified law enforcement and implemented a range of measures to strengthen its cybersecurity posture, including technical enhancements and updated employee guidance.

To support affected individuals, CRC has partnered with Kroll, a global leader in risk mitigation, to provide complimentary identity monitoring services for a specified period. These services include credit monitoring, fraud consultation and identity theft restoration. Affected individuals are encouraged to enroll in these services by visiting the Kroll enrollment website provided in their notification letter.

Given the nature of the information exposed, those affected should remain vigilant by reviewing their credit reports, bank accounts and other financial statements for unusual activity. It is advisable to place a fraud alert or security freeze on credit files and to promptly report any suspected identity theft to the appropriate authorities. Additional resources and guidance are included in the official notice to consumers, which is available at the bottom of this page in PDF format.

For more information about the company, visit the CRC Group website.