Cybersecurity firm HackerOne is notifying nearly 300 employees that their personal information was exposed in a data breach recently disclosed by third-party benefits administrator Navia Benefit Solutions.
Navia revealed last week that it discovered unauthorized access to its systems on January 23, and an investigation found that the attacker had access between December 22, 2025, and January 15, 2026.
The company said the hackers accessed and acquired information such as names, dates of birth, Social Security numbers, phone numbers, email addresses, and health plan information.
Navia told the Maine Attorney General’s Office that nearly 2.7 million individuals are impacted by the data breach.
In a notification submitted this week to the Maine AGO, bug bounty platform and offensive security solutions provider HackerOne said it was recently notified by Navia, which serves as one of its US benefits administrators, that the information of 287 employees may have been affected by the data breach.
HackerOne said the notification it received from Navia was dated February 20, but it was only delivered in March.
“The safe handling of your personal data is core to who we are as an organization, and HackerOne is treating this as requiring our critical attention,” HackerOne said. “We will undertake our own investigation to assess this incident and are actively communicating with Navia to understand more about how and why this incident occurred and identify immediate areas for improvement to ensure the data of our employees and their dependents is protected.”
It added, “HackerOne will also be evaluating Navia’s privacy and security policies and practices. If we are not satisfied, we will explore other potential options for benefits providers with our broker.”
Navia said in its notification to impacted individuals that it’s not aware of “any attempted or actual misuse” of the exposed information.
However, ‘no evidence of misuse’ is a standard disclaimer frequently issued by breached companies.
In Navia’s case there is no indication that cybercriminals have made public any data stolen from the company’s systems, but the aforementioned disclaimer has been used in the past even by firms that had their data publicly leaked.
Related: Extortion Group Claims It Hacked AstraZeneca
Related: 3.1 Million Impacted by QualDerm Data Breach
Related: Mazda Says Employee, Partner Information Stolen in Cyberattack
