Navia Benefit Solutions, the Tukwila-based benefits administrator used by thousands of employers across Washington state, disclosed a data breach affecting 2.7 million people. If your company uses Navia for FSA, HRA, or COBRA administration, your employees' personal data may have been exposed.

The breach happened between December 22, 2025 and January 15, 2026. Navia detected it on January 23 but did not begin notifying affected individuals until March 18, 2026.

What Was Exposed

An unauthorized third party gained read-only access through an API to Navia's systems. The compromised data includes:

  • Full names
  • Dates of birth
  • Social Security numbers
  • Phone numbers and email addresses
  • Health plan information including HRA, FSA, and COBRA enrollment details

Navia says claims data and financial account information like bank accounts and credit cards were not exposed. Records going back seven years were in scope.

Who Is Affected

Navia serves over 10,000 employer clients and more than one million participants. In Washington state specifically:

  • Approximately 27,000 current and former PEBB members
  • Approximately 5,600 current and former SEBB members
  • Approximately 3,000 current and former COFA islander members
  • 37 school districts that contracted with Navia before SEBB launched in January 2020

If your organization uses Navia for benefits administration, your employees may be in scope even if they have not received a notification letter yet.

What Navia Is Offering

Navia is providing 12 months of free identity protection and credit monitoring through Kroll. Notification letters with enrollment instructions began mailing on March 18. A substitute notice is posted at naviabenefits.com/notice-of-data-event for individuals who cannot be reached by mail.

What Your Business Should Do Right Now

1. Confirm whether your employees are affected. Contact your Navia account representative and ask directly whether your organization's data was in the breach scope. Do not wait for Navia to come to you.

2. Notify your employees proactively. Do not rely on Navia's mailing timeline. If your organization used Navia for benefits at any point in the last seven years, tell your employees now. Give them the Navia breach notice URL and the Kroll enrollment information.

3. Advise employees to freeze their credit. With SSNs and dates of birth exposed, identity theft is a real risk. Employees should place fraud alerts or credit freezes with all three bureaus:

4. Watch for phishing. Attackers now have names, emails, SSNs, and benefit enrollment details for 2.7 million people. Expect targeted phishing emails that reference real benefit plan information. Warn your employees to be suspicious of any emails about their FSA, HRA, or COBRA accounts that they did not initiate.

5. Review your vendor agreement. Check whether your contract with Navia includes breach notification SLAs and indemnification clauses. The eight-week gap between detection and notification is worth examining.

6. Washington state employers on PEBB or SEBB: Check the HCA announcement for program-specific guidance.

Multiple law firms have opened class action investigations, including Edelson Lechtzin LLP and Migliaccio & Rathod LLP. The breach has been reported to the Maine Attorney General, HHS under HIPAA breach notification rules, and the Washington State Health Care Authority.

The Bigger Picture for Washington Businesses

Navia is headquartered in Tukwila and deeply embedded in the Washington employer benefits ecosystem. This breach is not happening to a distant vendor. It is local, it is large, and it affects the kind of employee data that enables real financial harm.

If your benefits administrator gets breached, your employees look to you for answers. Having a plan before it happens is the difference between a controlled response and a scramble.

Need help reviewing your vendor security posture or building an incident response plan? Contact Rain City Techworks.