Insurer Alerts 335,500 Customers, Agents, and Others About Data Breach

A Texas-based insurance provider is alerting over 335,500 individuals regarding a security breach from December, during which unauthorized access to sensitive personal and health information occurred. This cyber incident impacts many, but not all, of the company’s clients, agents, and insurance partners spanning multiple states.

New Era Life Insurance Companies, with operations in Texas, the Midwest, and Pennsylvania, confirmed its classification as a health plan in a HIPAA breach notification submitted to federal authorities on February 11. The breach involves data from policyholders, agents, and insurer partners, with the firm filing additional breach reports with state authorities in places like Maine and South Carolina.

Notably, the firm’s breach notification revealed that suspicious network activity was first detected on December 18. In response, the company activated its incident response procedures, which involved isolating affected systems and enlisting the help of a third-party cybersecurity firm for investigation. Law enforcement was notified as part of the response protocol.

Investigations revealed that an “unauthorized actor” infiltrated the company’s network from December 9 to 18, accessing and copying files from various systems. The nature of the data breach highlights the type of information compromised, which varied among affected individuals and included names, birth dates, insurance identification numbers, and claims data, such as medical diagnosis and treatment details. In certain cases, Social Security numbers were also included in the breach.

The organization emphasized that not all policyholders and agents were affected, clarifying that the breach concerned only those individuals whose information was present in the compromised files. In the wake of the incident, a number of law firms have begun investigating the breach for grounds to initiate class action lawsuits.

As a response to the breach, New Era is offering 12 months of free identity and credit monitoring services to impacted individuals. Additionally, to deter future breaches, the company has committed to implementing enhanced security protocols and technical measures.

As of now, the hacking incident involving New Era has emerged as the largest health data breach reported this year, overshadowing nine other healthcare incidents reported to the U.S. Department of Health and Human Services. Overall, there have been a total of 122 major health data breaches reported in 2025, with this incident positioning itself as the fourth largest on record.

Cybercriminals commonly target health plans due to the volume of sensitive information that these organizations manage, making them lucrative targets for data theft. The risks are exacerbated by potential exploitation opportunities arising from outdated technology infrastructure often seen in many healthcare-related entities, which could draw on various tactics from the MITRE ATT&CK framework, including initial access and privilege escalation techniques.

Furthermore, industry experts highlight that the pressure to maintain operational integrity can compel healthcare organizations to pay ransoms swiftly, thus reinforcing the importance of proactive cybersecurity measures. With ongoing challenges pertaining to limited resources and funding, healthcare organizations, including health plans, must navigate the complexities of safeguarding vast amounts of critical data.