What Happened in the Tower Administrative Services Data Breach?
Tower Administrative Services, a Pennsylvania-based insurance administration company headquartered in Lancaster, has disclosed a data breach that exposed sensitive personal information belonging to hundreds of thousands of people. The company identified suspicious activity within its corporate network and quickly launched an internal investigation. As a result, security teams worked to determine the scope of the intrusion and what data may have been compromised.
According to the company’s disclosure, unauthorized access to its network occurred on or about Feb. 3, 2026. This means an intruder was able to reach systems that stored sensitive personal and financial information. The exact method used to gain entry has not been publicly disclosed, but the company treated the activity as a serious security event once it was detected.
After discovering the intrusion, Tower Administrative Services worked to identify exactly which files and individuals were affected. This review process was thorough and took several months to complete. The company finished its investigation on or around May 20, 2026, roughly three and a half months after the initial unauthorized access occurred.
Because the breach involved sensitive personal data, the company notified multiple state attorneys general, including those in California, Nebraska, Texas and Vermont. In addition, Tower Administrative Services posted a public notice on its website describing the incident. This kind of multi-state regulatory disclosure is standard practice when a breach affects residents across several states.
Who was affected?
The Tower Administrative Services data breach affected a total of 248,940 individuals nationwide. Because the company works in insurance administration, those affected likely include policyholders, plan members, or other individuals whose information was processed or stored through the company’s administrative services.
State-level breach notifications give some insight into the geographic spread of the incident. For example, 25,742 Texas residents, 3,427 South Carolina residents, 2,540 Indiana residents, 2,124 Massachusetts residents and 78 Vermont residents were confirmed as impacted. However, the source material does not specify the exact breakdown of customers versus employees, nor does it indicate whether minors were among those affected.
Given the scale of the breach, individuals across many other states beyond those listed may also be affected. Anyone who received a notification letter from Tower Administrative Services should assume their information was involved. Because insurance administration often involves sensitive health and financial records, the population affected could span a wide range of ages and backgrounds.
What Information Was Potentially Exposed?
The investigation into the breach found that certain categories of personal information may have been accessed or acquired without authorization. This information could be used by criminals for identity theft or financial fraud if it falls into the wrong hands.
- Full names
- Social Security numbers
- Home addresses
- Financial account information, including debit and credit account numbers
This combination of data is particularly concerning because it includes both identity-verifying details and financial account numbers. As a result, affected individuals face a heightened risk of identity theft, since Social Security numbers can be used to open new credit accounts, file fraudulent tax returns, or apply for loans in someone else’s name.
In addition, the exposure of debit and credit account numbers raises the risk of direct financial fraud. Criminals could attempt unauthorized transactions or create counterfeit cards using this stolen information. Because this data can circulate on illicit markets for years, affected individuals should remain vigilant well beyond the initial notification period.
What is the company doing?
Once Tower Administrative Services detected the suspicious activity, it moved to investigate the incident and determine which systems and individuals were affected. The company then worked to notify state regulators, including attorneys general in California, Nebraska, Texas and Vermont. In addition, the company posted a notice describing the incident on its public website.
As part of its response, Tower Administrative Services began notifying affected individuals directly on June 23, 2026. The company is also offering complimentary credit monitoring and identity protection services through Cyberscout and Identity Force. To enroll, affected individuals must use the unique activation code provided in their notification letter and sign up within 90 days of the letter’s date.
Furthermore, the company has set up a dedicated assistance line for people with questions about the breach. This line operates from 8 a.m. to 8 p.m. Eastern Time, Monday through Friday, excluding major U.S. holidays. Individuals may also reach out by mail to the company’s Lancaster, Pennsylvania address.
What Should Affected Individuals Do?
Enroll in the Free Credit Monitoring Offered
Anyone who received a notification letter should take advantage of the free credit monitoring and identity protection services being offered. Because these services are provided through Cyberscout and Identity Force, enrollment requires the specific activation code included in the letter.
It’s important to act quickly since enrollment must happen within 90 days of the letter’s date. This monitoring can help detect suspicious activity early, giving affected individuals a better chance to respond before serious damage occurs.
Consider a Credit Freeze or Fraud Alert
Because Social Security numbers and financial account information were exposed, affected individuals should strongly consider placing a credit freeze with the three major credit bureaus. A freeze prevents new credit accounts from being opened in your name without your explicit consent.
Alternatively, a fraud alert can also help by requiring lenders to verify your identity before extending credit. Both options are free and can be requested directly from Equifax, Experian and TransUnion. As a result, taking either step adds an important layer of protection against identity thieves.
Monitor Financial Accounts Closely
Given that debit and credit account numbers may have been exposed, it’s wise to review bank and credit card statements regularly. Look for any unfamiliar charges, even small ones, since fraudsters sometimes test stolen account numbers with minor transactions first.
If you notice any unauthorized activity, contact your financial institution immediately. In addition, consider requesting new card numbers as a precaution, since compromised account numbers can be used repeatedly until they are canceled.
Stay Alert for Phishing Attempts
After a breach like this, scammers often use stolen information to craft convincing phishing emails, texts or phone calls. Therefore, affected individuals should be cautious of any unsolicited communication asking for personal information or login credentials.
Never click links or provide sensitive details unless you can verify the source directly. Instead, contact the company or institution through official channels if you’re unsure whether a message is legitimate.
Consult a Data Breach Attorney
Because this breach involved highly sensitive information like Social Security numbers and financial account data, affected individuals may want to speak with a data breach attorney. An attorney can help evaluate whether you qualify for compensation through a potential class action or settlement.
Many attorneys offer free consultations to review your situation at no cost. This means you can explore your legal options without any upfront financial commitment, while also gaining a clearer understanding of your rights.
More Information
Tower Administrative Services Inc
3,427 South Carolina residents
