Maryland-based Kelly & Associates Insurance Group, known as Kelly Benefits, has disclosed a data breach affecting over 260,000 individuals. The company, which offers payroll, benefits administration, and consulting services across Maryland and nearby states, detected suspicious network activity in December 2024. An internal investigation revealed that threat actors had unauthorized access to systems between December 12 and December 17, leading to the exfiltration of sensitive data.
Files accessed during the breach reportedly included names, dates of birth, Social Security numbers, tax ID numbers, and even financial and medical information.
Following the incident, Kelly Benefits began notifying affected individuals and customers. Notices are being issued not only by the company but also on behalf of several impacted clients, including Amergis, Beam Benefits, and CareFirst. Other organizations affected by the breach include Beltway Companies, Intercon Truck of Baltimore, and The Guardian Life Insurance Company of America. Each of these entities had customer data stored in files that were compromised during the breach window.
Kelly Benefits officially reported the breach to the Maine Attorney General, confirming the scope at approximately 264,000 impacted individuals. Although no known ransomware group has taken responsibility, the nature of the attack has led to speculation. Given the lack of a public claim and the time elapsed, some experts believe a ransom may have been paid to suppress the release of stolen data.
While the company has not confirmed whether ransomware was involved, the silence from threat actors raises questions. If ransomware was the cause, the lack of publicity suggests a private settlement may have occurred. Regardless, Kelly Benefits is now tasked with rebuilding trust among clients and regulators. The incident underscores the rising risks for benefits and payroll service providers handling sensitive data.
Reference: