Insurance Office of America Data Breach Exposes Social Security Numbers

On Jan. 11, 2026, Insurance Office of America (IOA), one of the largest privately held insurance brokerages in the United States, discovered a data breach affecting 12,913 people nationwide, including 446 in Texas, 111 in Massachusetts, 54 in New Hampshire, and 15 in Maine.

According to a disclosure filed with the Maine Attorney General, the incident occurred after IOA fell victim to a phishing email attack, allowing unauthorized access to internal systems between June 25 and June 30, 2025.

On July 2, 2025, the DAIXIN Team, a cybercriminal group known for targeting healthcare and insurance organizations, claimed responsibility on the dark web, stating they had obtained more than 100,000 internal documents and threatened to publish them. The attackers reportedly accessed and potentially acquired files containing sensitive personal information, including full names, Social Security numbers, and other personally identifiable information (PII).

The breach was officially disclosed to the California Attorney General, Maine Attorney General, Massachusetts Office of Consumer Affairs and Business Regulation, and New Hampshire Attorney General on Jan. 16, 2026. Written notifications were sent to affected individuals the same day.

Additionally, the breached was disclosed to the Texas Attorney General on Jan. 21, 2026.

Insurance Office of America's response

Upon discovering the breach, IOA launched a comprehensive investigation with external cybersecurity experts to contain the threat and secure its network. The company undertook a detailed review of the compromised files to determine the scope of the data accessed and worked with affected clients and partners before notifying individuals.

To support those impacted, IOA is offering complimentary 24-month credit monitoring and identity protection services through Epiq. These services include credit monitoring, VantageScore credit reports, Social Security number monitoring, dark web surveillance, change of address monitoring, and up to $1 million in identity theft insurance with no deductible.

Given the phishing nature of the attack, IOA recommends that anyone who receives suspicious communications exercise caution, avoid clicking on unfamiliar links or attachments, and report potential phishing attempts.

Additional steps, such as placing a fraud alert or security freeze on credit files, are also advised. Contact information for the major credit bureaus and detailed instructions for these protective measures are included in the written notice provided to affected individuals.