The Phia Group Data Breach Exposes PII and PHI of 40k

The Phia Group, a healthcare cost containment company based in Massachusetts, experienced a data breach. The exposed information included both personally identifiable information (PII) and protected health information (PHI).

Compromised data may include names, addresses, dates of birth, Social Security numbers, driver's license or State ID numbers, payment information, clinical Information, doctor's name, health insurance account member number, health insurance group number, medical diagnosis information, medical record number (MRN), medical treatment/procedure Information, Medicare number, patient account number (PAN), and treatment location.

This type of cyberattack puts impacted individuals at risk for identity theft and fraud.

The data breach was first disclosed to the Massachusetts Attorney General's office on Oct. 11, 2025. Starting on Jan. 30, 2026, the breach was further disclosed to the attorneys general offices of California, New Hampshire, Oregon, Texas, and Washington.

The Phia Group also posted a notice of data security incident on its website and has begun notifying affected individuals by mail.

The data breach has impacted 40,366 individuals nationwide, including 29,403 individuals in Texas, 2,802 individuals in Washington, 23 individuals in Massachusetts, and 13 in New Hampshire.

The Phia Group’s response

In addition to required state and federal disclosures, The Phia Group is offering impacted individuals free Kroll credit monitoring services, which also includes fraud consultation and identity theft restoration.

If you receive a notice from The Phia Group about this data breach, you may want to:

• Sign up for the free Kroll identity theft protection services offered by Phia Group.
• Monitor your credit reports and financial accounts for any unusual activity.
• Be alert for phishing emails or phone calls that may use your exposed information.
• Consider placing a fraud alert or credit freeze with major credit bureaus.