Navia Benefit Solutions, a company that administers employee benefits including Health Savings Accounts (HSAs), Flexible Spending Accounts (FSAs), and COBRA, disclosed a data breach affecting 2,697,540 individuals. A read-only API flaw gave attackers 24 days of silent access to sensitive data including Social Security numbers, dates of birth, and health plan information. If you currently or previously used Navia for your employee benefits, here is what you need to know and what steps to take immediately.
What Happened
Between December 22, 2025 and January 15, 2026, unauthorized actors exploited a read-only API vulnerability to access Navia's systems. The flaw allowed the attackers to silently query and extract personal data for nearly 24 days before the unauthorized access was detected and shut down.
Navia posted a public breach notice on March 13, 2026, and began mailing notification letters to affected individuals on March 18, 2026. The company is offering 12 months of free identity theft protection services through Kroll to those whose data was compromised.
The nature of this breach -- a read-only API vulnerability -- means the attackers could view and copy data but could not modify or delete records. While this limits certain types of damage, it does not reduce the severity of the data exposure itself. The attackers had nearly a month to methodically extract information from the system.
What Data Was Exposed
The compromised data includes names, dates of birth, Social Security numbers, phone numbers, email addresses, and health plan information. Navia has stated that direct financial account numbers and claims data were not exposed in the breach. However, the combination of Social Security numbers with personal identifying information and health plan details creates serious identity theft and fraud risks.
Why This Breach Is Especially Concerning
Several factors make the Navia breach particularly serious:
- Social Security numbers were exposed. Unlike email addresses or even passwords, you cannot change your Social Security number. Once exposed, it creates a permanent identity theft risk that must be managed indefinitely.
- Health plan information was included. This data can be used for medical identity theft, where criminals use your identity to obtain medical care, prescription drugs, or file fraudulent insurance claims. Medical identity theft is notoriously difficult to detect and resolve.
- The scale is massive. With nearly 2.7 million individuals affected, this is one of the larger benefits administration breaches on record.
- The 24-day access window was substantial. The attackers had more than three weeks to systematically extract data, suggesting the exposure may be comprehensive rather than limited to a random sample.
Do Not Ignore the Notification Letter
If you receive a notification letter from Navia, take it seriously and act immediately. The letter will include instructions for enrolling in the free 12-month identity theft protection through Kroll. Enroll as soon as possible -- the protection window begins from the enrollment date, and delaying only shortens your coverage period. Do not discard the letter, as it contains a unique code you will need to activate the monitoring service.
Steps to Take Right Now
1. Freeze Your Credit at All Three Bureaus
With Social Security numbers exposed, a credit freeze is the single most important step you can take. A credit freeze prevents anyone -- including you -- from opening new credit accounts until the freeze is temporarily or permanently lifted. Contact each bureau directly:
- Equifax: equifax.com/personal/credit-report-services/credit-freeze or call 1-800-685-1111
- Experian: experian.com/freeze or call 1-888-397-3742
- TransUnion: transunion.com/credit-freeze or call 1-888-909-8872
Credit freezes are free and do not affect your credit score. You can temporarily lift a freeze when you need to apply for credit and then re-freeze afterward.
2. Enroll in the Free Kroll Monitoring
Navia is offering 12 months of free identity theft protection through Kroll. While 12 months is a limited window given that Social Security numbers create a permanent risk, it provides an important immediate layer of monitoring. Enroll using the code provided in your notification letter. Set up all available alerts, including credit monitoring, Social Security number monitoring, and dark web surveillance.
3. Place a Fraud Alert
In addition to a credit freeze, consider placing an initial fraud alert on your credit reports. A fraud alert requires creditors to take extra steps to verify your identity before opening new accounts. You only need to contact one of the three credit bureaus, and they are required to notify the other two. An initial fraud alert lasts one year and is free.
4. Monitor Your Health Insurance Statements
Because health plan information was exposed, watch for signs of medical identity theft. Review all Explanation of Benefits (EOB) statements from your health insurance carefully. Look for medical services, prescriptions, or provider visits you do not recognize. Contact your health insurer immediately if you spot any discrepancies.
5. File Your Taxes Early
Tax identity theft -- where criminals file a fraudulent tax return using your Social Security number to claim your refund -- is a common consequence of SSN exposure. File your federal and state tax returns as early as possible to reduce the window for criminals to file first. Consider applying for an Identity Protection PIN (IP PIN) from the IRS, which adds an extra layer of verification to your tax filing.
6. Review Your Benefits Accounts
Log in to your HSA, FSA, or COBRA accounts and review recent activity for any transactions you do not recognize. Change your passwords for these accounts and any other accounts where you may have used the same credentials. Enable two-factor authentication where available.
7. Watch for Phishing Attempts
With your name, email address, phone number, and employer benefits information exposed, expect targeted phishing attempts. Criminals may pose as Navia, your employer's HR department, your health insurance company, or even Kroll. Be skeptical of any unsolicited communication asking for additional personal information or directing you to click a link.
Beyond the 12-Month Monitoring Window
The free Kroll monitoring expires after 12 months, but the risk from an exposed Social Security number does not. After the monitoring period ends, you will need to maintain your own vigilance. Keep your credit frozen, review your credit reports regularly through AnnualCreditReport.com, and monitor your financial and health insurance accounts for suspicious activity.
This is also where ongoing data removal becomes critical. Your exposed personal information will inevitably make its way onto data broker sites, where it gets combined with other publicly available data to create detailed profiles that criminals can use for identity theft and fraud. PrivacyOn continuously monitors over 100 data broker sites for your personal information and submits removal requests on your behalf. With dark web monitoring included, PrivacyOn can alert you if your exposed data surfaces in criminal marketplaces. Family plans covering up to 5 people make it practical to protect your entire household, which is especially important when a breach of this scale exposes data for millions of individuals.
The Navia breach is a stark reminder that the companies handling our most sensitive data -- Social Security numbers, health information, benefits records -- are not immune to security failures. Taking proactive steps now can significantly reduce the long-term damage.