Managed Care Advisors/Sedgwick Breach Exposes PHI and PII

On Dec. 4, 2025, Managed Care Advisors/Sedgwick Government Solutions (MCA/SGS), a federal government contractor specializing in workers’ compensation and managed care solutions, discovered a cybersecurity incident involving unauthorized access to a corporate Secure File Transfer Protocol (SFTP) server.

The breach was traced back to Nov. 16, 2025, when a third party gained access to the server and encrypted files, indicating a ransomware attack.

The ransomware group identifying itself as TridentLocker later claimed responsibility and, on Dec. 30, 2025, posted approximately 3.39 GB of the organization’s data on a dark web site hosted on the Tor network.

The compromised SFTP server was used to store sensitive files, including data from the previous Nationwide Provider Network contractor for the World Trade Center (WTC) Health Program.

The types of information exposed in this incident are extensive and include both personally identifiable information (PII) and protected health information (PHI): first name, last name, address, Social Security number, date of birth, medical record images, completed WTC Health Program forms and other PHI.

The breach was officially disclosed to the New Hampshire Attorney General on Feb. 10, 2026. So far, the breach has affected approximately three New Hampshire residents.

Managed Care Advisors/Sedgwick Government Solutions' response

Upon discovering the breach, Managed Care Advisors/Sedgwick Government Solutions initiated its incident response plan. The affected SFTP server was quarantined, all connections were disabled, and a secure backup was restored on Dec. 5, 2025.

The company engaged Mandiant, a leading incident response firm, to conduct a forensic analysis of the incident and notified the FBI.

Notifications to affected individuals began on Feb. 11, 2026. Those affected are being offered 12 months of complimentary credit monitoring and identity theft protection services through Kroll, a global leader in risk mitigation.

A dedicated call center has also been established to answer questions and provide support.

Given the nature of the breach and the exposure of both PII and PHI, it is important for affected individuals to take proactive steps:

• Enroll in the complimentary credit monitoring and identity restoration services provided by Kroll
• Monitor credit reports for suspicious activity
• Consider placing a fraud alert or security freeze with the major credit bureaus
• Stay vigilant for signs of identity theft or medical fraud