TL;DR: Navia Benefit Solutions, a company that manages FSAs and healthcare spending accounts for over 10,000 employers, left an API unprotected for 25 days. Attackers grabbed Social Security numbers, dates of birth, and health plan details for 2,697,540 people. Washington state employees got hit particularly hard: 32,000 current and former public school and government workers had their data exposed.
What happened
Between December 22, 2025 and January 15, 2026, someone walked through an open door at Navia Benefit Solutions. Not literally: the door was an application programming interface (API) that gave read-only access to participant data. No hacking required. Just access.
For 25 days, the unauthorized party had visibility into:
- Full names
- Social Security numbers
- Dates of birth
- Addresses
- Phone numbers and email addresses
- Health plan participation details (FSA, DCAP, COBRA, HRA enrollment)
- Navia ID numbers
Navia didn't notice anything wrong until January 23, 2026, over a week after the access ended. The company brought in third-party cybersecurity experts, fixed the vulnerability, and temporarily disabled portal registration while they implemented "enhanced multi-factor authentication."
Public disclosure came on March 2, 2026. Notification letters started hitting mailboxes in mid-March.
Who got hit
The final count: 2,697,540 individuals.
Navia administers flexible spending accounts, health reimbursement arrangements, COBRA benefits, and dependent care assistance programs for more than 10,000 companies. If your employer uses Navia for benefits administration, your data may be in this breach.
Washington state employees took a particularly hard hit. The Washington State Health Care Authority confirmed that approximately 32,000 people were affected:
- ~27,000 current and former PEBB (Public Employees Benefits Board) members
- ~5,600 current and former SEBB (School Employees Benefits Board) members
- Records dating back to 2018
That's public school teachers, state government workers, university staff, and their families, all with SSNs now potentially in criminal hands.
The API problem nobody wants to fix
This breach happened through "read-only access to participants' data through an application programming interface." In plain English: Navia built a digital doorway for systems to talk to each other and forgot to lock it.
APIs are everywhere in modern healthcare. Your benefits portal, your pharmacy, your doctor's patient system: they all communicate through APIs. When configured correctly, they require authentication. When configured incorrectly, anyone who finds the endpoint can start pulling data.
Navia says no system intrusion occurred, no data was modified, and no funds were moved. Cold comfort when your SSN and health enrollment history are out in the wild.
Why this matters
The data combination here is particularly toxic. SSN + date of birth + address is the identity theft trifecta. Add in health plan enrollment details and attackers know:
- You have FSA or HSA funds (potential targets for healthcare fraud)
- Your employment status and history
- Whether you have dependents (via DCAP enrollment)
- Your relationship with specific employers
This isn't just credit card theft. Someone could file tax returns in your name, open credit lines, or commit healthcare fraud using your benefits information.
The 25-day window also matters. Unlike a smash-and-grab attack, whoever accessed this API had time to methodically collect and organize data. They could have pulled everything they wanted without triggering typical intrusion alerts.
What you should do
Freeze your credit now
Don't wait for the monitoring service Navia is offering. Freeze your credit at all three bureaus (Equifax, Experian, TransUnion) immediately. It's free and stops new accounts from being opened in your name.
Check your benefits accounts
Log into your FSA/HRA/DCAP accounts and verify all recent transactions. Look for claims you didn't make or providers you've never visited.
File an IRS Identity Protection PIN
With SSN exposed, tax fraud is a real risk. Get an IP PIN from the IRS at irs.gov to prevent fraudulent tax filings.
Enroll in the free monitoring
Navia is offering 12 months of identity monitoring through Kroll. It's not a substitute for a credit freeze, but it's free and can alert you to misuse. Call (844) 443-1645 if you didn't get a letter.
Washington state employees
The Washington Health Care Authority has updates at hca.wa.gov and a support line at 1-800-700-1555. If you've participated in PEBB or SEBB FSA/DCAP programs since 2018, assume your data is exposed even if you haven't received a letter yet.
Class action investigations underway
Multiple law firms have opened investigations into potential class action lawsuits against Navia. Class action attorneys are investigating whether Navia failed to adequately protect participant data and whether affected individuals may be entitled to compensation for "loss of privacy, time spent dealing with the breach, and out-of-pocket costs."
If you're affected and considering joining a lawsuit, document everything: time spent on credit freezes, monitoring signup, any fraudulent activity, and communications with Navia.
References
- Washington State Health Care Authority - Notification of Navia data breach
- CyberInsider - Navia Benefit Solutions data breach impacts 2.7 million individuals
- The Record - Health plan information for over 2.6 million stolen from third-party admin Navia
- ClassAction.org - Navia Benefit Solutions Data Breach Investigation
- Help Net Security - Navia breach context, March 2026