Sedgwick Data Breach Exposes Social Security Numbers and Medical Records

Insurance data breach illustration
Breach Discovery: 4th December 2025Breach Notification: 11th February 2026

What Happened in the Sedgwick Data Breach?

Managed Care Advisors/Sedgwick Government Solutions (MCA/SGS) discovered a cybersecurity incident on Dec. 4, 2025. The company found that a third party had gained unauthorized access to a corporate Secure File Transfer Protocol (SFTP) server. This server stored sensitive files related to workers’ compensation and managed care programs the company administers for federal government clients.

According to the investigation, the unauthorized access to the network occurred on or about Nov. 16, 2025. During that intrusion, the attacker encrypted files on the SFTP server, a hallmark of a ransomware attack. A group calling itself TridentLocker later claimed responsibility for the breach. As a result, the incident escalated beyond a simple intrusion into a confirmed data theft event.

On Dec. 30, 2025, TridentLocker posted roughly 3.39 GB of stolen data on a dark web site hosted through the Tor network. This action confirmed that data had actually been exfiltrated, not just encrypted. In response, MCA/SGS engaged Mandiant, a well-known incident response firm, to conduct a full forensic analysis. The company also notified the FBI to support a broader criminal investigation.

Who was affected?

The compromised SFTP server held data connected to the previous Nationwide Provider Network contractor for the World Trade Center (WTC) Health Program. Because of this, individuals affected by the Sedgwick data breach may include program participants whose health and personal records passed through this server. This suggests the impacted population could include workers’ compensation claimants and WTC Health Program beneficiaries.

So far, the breach has been confirmed to affect 16 Massachusetts residents and three New Hampshire residents, based on state notification filings. However, the total nationwide number of affected individuals has not been publicly disclosed. Since MCA/SGS operates as a federal government contractor across multiple states, the true scope may extend well beyond these two states.

What Information Was Potentially Exposed?

The data exposed in this breach is extensive and touches both personally identifiable information (PII) and protected health information (PHI). Because the compromised server stored records tied to a health program, the exposure includes highly sensitive medical details in addition to standard identity data.

  • Full name (first and last)
  • Home address
  • Social Security number
  • Date of birth
  • Medical records
  • Completed WTC Health Program forms
  • Certified health conditions
  • Other protected health information

This combination of data creates serious risk for affected individuals. Social Security numbers paired with dates of birth and addresses give criminals nearly everything needed to open fraudulent credit accounts, file false tax returns, or apply for loans in someone else’s name. In addition, this type of data often stays valuable to criminals for years after a breach occurs.

The exposure of medical records and certified health conditions adds another layer of danger. Criminals can use stolen health information to commit medical identity theft, such as billing insurers for fake treatments or obtaining prescription drugs under a victim’s name. Because health conditions tied to the WTC Health Program are also sensitive personal history, their exposure raises privacy concerns beyond typical financial fraud.

What is the company doing?

Once MCA/SGS discovered the breach, the company moved quickly to contain it. Staff quarantined the affected SFTP server and disabled all connections to prevent further unauthorized access. By Dec. 5, 2025, the company had restored a secure backup of the system, allowing operations to continue safely.

Beyond containment, MCA/SGS took additional steps to understand the full scope of the incident. The company hired Mandiant to perform a detailed forensic investigation and notified the FBI to assist with the criminal probe. Following this work, MCA/SGS began notifying affected individuals on Feb. 11, 2026. The company also disclosed the breach to the Massachusetts Office of Consumer Affairs and Business Regulation and the New Hampshire Attorney General.

To help affected individuals protect themselves, MCA/SGS is offering 12 months of complimentary credit monitoring and identity theft protection through Kroll. The company has also set up a dedicated call center so affected individuals can ask questions and get support directly.

What Should Affected Individuals Do?

Enroll in Credit Monitoring and Identity Protection

Anyone who received a notification letter should enroll in the free credit monitoring and identity restoration services offered through Kroll. This service can alert you quickly if someone tries to open new accounts using your information.

Because enrollment periods are often time-limited, it helps to sign up as soon as possible after receiving your notice. Taking this step early gives you a head start on catching any suspicious activity tied to the stolen data.

Consider a Fraud Alert or Credit Freeze

Since Social Security numbers and dates of birth were exposed, placing a fraud alert or credit freeze with the three major credit bureaus is a smart precaution. A freeze blocks new creditors from accessing your credit file, which makes it much harder for criminals to open accounts in your name.

To place a freeze, you will need to contact Equifax, Experian, and TransUnion individually. While a freeze may add an extra step when you apply for credit yourself, it offers strong protection against identity theft during this period of heightened risk.

Watch for Signs of Medical Identity Theft

Because medical records and health condition data were exposed, it’s wise to review any insurance statements or medical bills closely. Look for unfamiliar treatments, prescriptions, or provider visits that you did not receive.

If you notice anything unusual, contact your health insurer immediately and request a corrected explanation of benefits. Reporting suspicious medical activity quickly can prevent further fraudulent claims from being processed under your name.

Stay Alert for Phishing Attempts

After a breach like this, scammers often use stolen personal details to craft convincing phishing emails or phone calls. Because criminals may reference real information, such as your name or address, these messages can seem more legitimate than typical scams.

As a result, you should never click links or share personal information in response to unsolicited messages. Instead, verify any request by contacting the organization directly through a phone number or website you already trust.

Review Your Credit Reports Regularly

In addition to enrolling in monitoring services, request free copies of your credit reports from each major bureau and review them carefully. Look for accounts you don’t recognize or inquiries you didn’t authorize.

If you spot anything suspicious, report it right away and consider consulting a data breach attorney for a free case evaluation. An attorney can help you understand your legal options and whether you may qualify for compensation.



More Information

Official Notice from Sedgwickgovernment

Official Notice from Mass

Official Data Breach Notification Letter (PDF)

Related Data Breaches