HRB Tax Group, Inc., better known as H&R Block, experienced a significant data breach that exposed sensitive consumer information. The breach, which occurred on May 13, 2024, was discovered by the company on August 9, 2024.
A total of 23,067 individuals in the United States were affected by this breach, with specific impacts in states such as Texas (640 individuals), Maine (24 individuals), and Massachusetts (38 individuals).
The exposed information includes highly sensitive data such as:
The breach was officially disclosed to various state attorney general offices in December 2024. For example, the Maine Attorney General's office received the disclosure on December 20, 2024, while the California Attorney General's office was notified on December 27, 2024. Similarly, the Massachusetts Attorney General's office was informed on December 27, 2024.
Consumers were notified of the breach via written U.S. mail on November 26, 2024. The breach’s severity is underscored by the type of information exposed, which could potentially lead to identity theft, financial fraud, and other risks for affected individuals.
In response to the breach, HRB Tax Group, Inc. took steps to notify affected individuals promptly. Consumers were informed through written notices sent by U.S. mail, detailing the nature of the breach and the types of information that were exposed. Additionally, the company fulfilled its obligation to report the breach to multiple state attorney general offices, including Texas, California, Maine, and Massachusetts.
While specific details about how the breach occurred or what measures have been implemented to prevent future incidents were not disclosed, the company’s notification efforts demonstrate compliance with legal requirements for data breach reporting.
If you have been notified that your information was part of this breach, it is crucial to take immediate action to protect yourself. Here are some steps you should consider:
Taking these steps can help mitigate the risks associated with the exposure of sensitive information.
A breach notice means your personal details could be circulating far beyond the organization involved. One practical step is continuous monitoring: services such as Identity Defender (included with an ExpressVPN subscription) can automatically check dark-web markets, flag new credit-file activity, and request removal of your information from data-broker sites.
This kind of “early-warning system” can’t undo a breach, but it can help you spot misuse quickly and limit further exposure. ExpressVPN is offering 61% off, risk-free for 30 days, with ID Theft Insurance included and no extra cost for those who sign up for one or two years.