Builders FirstSource Data Breach Exposes Protected Health Information

Manufacturing data breach illustration
Breach Discovery: Not Publicly DisclosedBreach Notification: 18th February 2026

What Happened in the Builders FirstSource Data Breach?

Builders FirstSource Flex Plan, an entity tied to the building materials company Builders FirstSource Inc., recently confirmed a data breach affecting more than 1,500 people. The Builders FirstSource data breach came to public attention after the company reported it to federal regulators. Because the incident involved protected health information, the disclosure was made to the U.S. Department of Health and Human Services.

The breach appears to trace back to a threat actor known as Leaknet. On Dec. 30, 2025, Leaknet posted a claim on the dark web stating it had obtained data from Builders FirstSource. The group also said it planned to publish the stolen information within a day of the post.

As a result of this dark web posting, scrutiny of the company’s data security increased. However, the exact timeline of the intrusion remains unclear. Public filings have not detailed when unauthorized access first began, how long it continued, or exactly when Builders FirstSource discovered the breach internally.

Because this incident was reported to the HHS, it is classified as involving protected health information. Still, the company has not itemized which specific data elements were exposed in publicly available disclosures. This means affected individuals must rely on direct notification letters for full details.

Who was affected?

The Builders FirstSource data breach affected 1,514 individuals in the United States, according to the federal filing. This number likely includes current or former employees who participated in the Flex Plan, since flexible benefit plans typically serve workers and their dependents.

The exact makeup of the affected population has not been publicly disclosed. It is not yet clear whether the breach touched only employees, or whether dependents and beneficiaries connected to the plan were also involved. In addition, the geographic scope beyond


More Information

Official Notice from Bldr

HHS Office for Civil Rights Breach Notification Portal

Related Data Breaches