Kelly Benefits Data Breach Lawsuit: What to Know For 260K+ Impacted
by Brian Eckert
Milberg attorneys have filed a class action claim following a data breach that targeted Kelly & Associates Insurance Group, Inc. (“Kelly Benefits”). The proposed lawsuit accuses the company of failing to protect the personal information of more than 260,000 people from cybercriminals.
- The case arises from a data breach that occurred in December 2024
- Guardian Life Insurance and other customers of Kelly Benefits were impacted
- Hackers accessed names, Social Security numbers, medical info, and financial data
- Plaintiff Brittany Parks alleges that Kelly Benefits failed to implement adequate security measures to protect her sensitive information and delayed notifying affected individuals
- Parks seeks injunctive relief and financial compensation, including credit monitoring costs
- The breach is another example of how third-party vendors are often a weak cybersecurity link
What Happened?
Between December 12 and 17, 2024, cybercriminals gained unauthorized access to Kelly Benefits’ systems and exfiltrated unencrypted files containing sensitive personal information, according to a notice posted on its website. The impacted information includes:
- Names
- Social Security numbers
- Dates of birth
- Tax identification numbers
- Health insurance and medical information
- Financial account details
Kelly Benefits “immediately took measures to mitigate the effects of the incident and commenced an investigation to confirm the nature and scope of the incident,” the notice states.
What is Kelly Benefits Accused Of?
The company, which provides outsourced payroll, HR, and benefits administration services, informed the Maine Attorney General that the data breach affects nearly 264,000 individuals.
Defendant failed to adequately protect plaintiff’s and class members’ private information—and failed to even encrypt or redact this highly sensitive information. This unencrypted, unredacted information was compromised due to defendant’s negligent and/or careless acts and omissions and its utter failure to protect benefits recipients’ sensitive data.
However, victims of the breach allegedly didn’t learn about it until April 2025, when Kelly Benefits began sending notification letters—four months after the breach occurred—to affected individuals on behalf of nine clients:
- Amergis
- Beam Benefits
- Beltway Companies
- CareFirst BlueCross BlueShield
- Guardian Life Insurance Co.
- Intercon Truck of Baltimore
- Publishers Circulation Fulfilment
- Quantum Real Estate Management
- Transforming Lives
Parks, who enrolled for employee benefits through Kelly, says in a class action complaint filed in U.S. District Court for the District of Maryland (Case No. 1:25-cv-01311) that the delay in notifying victims violates Maryland’s data breach notification statute by more than 70 days. She also contends that the notice leaves out crucial information, such as whether Kelly was able to contain or end the cybersecurity threat and how the breach occurred. In addition, Parks accuses Kelly of failure to comply with FTC guidelines for businesses about implementing reasonable data security practices.
Kelly’s “conduct amounts to negligence and/or recklessness and violates federal and state statutes,” including the Federal Trade Commission Act and Md. Code Com. Law § 14-3504(b)(3), Parks said.
As a result of the data breach, she and the other members of the proposed class allegedly have suffered and will continue to suffer the risks of exposure of their private information, such as identity theft and targeted marketing.
“By obtaining, collecting, using, and deriving a benefit from plaintiff’s and class members’ private information, defendant assumed legal and equitable duties and knew or should have known that it was responsible for protecting plaintiff’s and class members’ private information from disclosure,” Parks claims in the complaint.
Why This Matters: Benefits Administrators Are Prime Hacker Targets
Third-party vendors like Kelly Benefits serve as critical links in the supply chains of larger organizations and are often the weak link in cyberattacks. Frequently used by employers across industries, including healthcare, vendors often lack the cybersecurity infrastructure of larger organizations, making them a target for cybercriminals, who use them as back doors to access larger pools of personal information.
For hackers, breaching a company like Kelly Benefits means not just reaching one employer—it means potentially exposing the private data of thousands of employees and dependents across dozens of companies.
A third-party data breach—also known as a supply chain attack—occurs when malicious actors compromise a vendor, supplier, contractor, or other organization to access the sensitive information of its customers, clients, or partners. A breach at one firm can compromise data across multiple clients. The Kelly Benefits data breach, for example, affected nine client companies.
As technology advances and global supply chains grow more complex, these breaches are becoming more common.
- Research from IT services and consulting firm Miratech found that 61% of companies reported a third-party breach in 2023—a nearly 50% increase over the previous year and three times higher than in 2021.
- The Identity Theft Resource Center reports that, from 2018 to 2023, the number of organizations impacted by supply chain attacks surged more than 2,600%, while the number of entities impacted went from 101 to 2,769 over the same period.
- Verizon’s 2025 Data Breach Investigations Report found that third-party involvement in breaches doubled from 15 to 30% last year.
Data breaches in the professional services sector are on the rise, increasing from 3% in 2022 to 14% in 2023, reports Kroll. Last year, the professional services industry was the third-most breached, behind healthcare and finance.
Milberg: A National Leader in Privacy and Consumer Protection
Milberg’s Thomas A Pacheco and Mariya Weekes are representing the plaintiff and a proposed nationwide class consisting of the following:
- All individuals residing in the United States whose private information was accessed and/or acquired by an unauthorized party as a result of the Kelly Benefits data breach, including those who received notice of the data breach.
Over a recent 3-year period, Milberg settled more than 50 class actions involving privacy violations in state and federal courts across the country as lead or co-lead counsel—more than any other plaintiffs’ class action firm in the country. Milberg is also responsible for developing favorable case law that many plaintiffs rely on in cybersecurity and privacy litigation.
Since 1965, Milberg has filed thousands of class action lawsuits, recovered billions of dollars for our clients, set groundbreaking legal precedents, and used litigation to protect consumer rights.