Navia notifies HCA of security breach affecting PEBB and SEBB members

Updated March 18, 2026

Navia Benefit Solutions (Navia), the administrator of the Flexible Spending Arrangement (FSA) and Dependent Care Assistance Program (DCAP) for the PEBB and SEBB Programs, recently notified HCA of a nationwide security breach of 2.7 million records.

Navia identified the activity in late January 2026, in which personal information was accessed between December 22, 2025 and January 15, 2026. This included Navia records going back seven years (to 2018), affecting almost 27,000 current and former PEBB members, about 5,600 current and former SEBB members, and about 3,000 current and former Compacts of Free Association (COFA) Islander members. About 37 school districts that contracted with Navia before the implementation of the SEBB Program in January 2020 were also notified.

Accessed member information included:

  • Navia ID numbers
  • First and last names
  • Social Security numbers (does not include COFA Islander members)
  • Dates of birth
  • Physical addresses

Additional data may also include phone numbers, email addresses, enrollment start and end dates, and employee IDs. Navia confirmed that there was no evidence of system intrusion, data modification, fund movement, or access to claims data or bank account information.

The breach involved unauthorized read-only access to data, which didn’t allow the unauthorized user to write or delete data.

How will I know if my account was affected? 

Navia will mail a letter to affected current and former PEBB and SEBB members and COFA Islanders in mid-March, providing more details about the breach. The letter will include specific data that was accessed for each individual. The letter will also include information on how individuals can protect their credit and who to call for help.

FAQs

Did HCA share my data with Navia?

Yes. HCA shares your data with Navia to:

  • Enroll you in an FSA, Limited Purpose FSA, or DCAP.
  • Establish an FSA on your behalf when you are eligible for an employer-paid contribution through a collective bargaining agreement (CBA).
  • Provide specific demographic information for all PEBB and SEBB benefits-eligible employees every September ahead of open enrollment. This data informs Navia who is eligible to enroll in FSA and DCAP benefits during annual open enrollment.
  • Provide COFA islanders with a Navia debit card to pay for eligible health and dental care expenses.

The data HCA shared does not exceed what is required for Navia to set up member accounts as needed. Starting in 2025, Navia deletes any unused data in February of the following year after open enrollment.

Why did I get more than one letter from Navia?

Your data may be in Navia’s system under multiple accounts. For example, if you participated in any Navia-administered benefits with a Washington State school district before the SEBB Program was created, or while working for another employer who contracted with Navia.

Why did I get a letter about my child from Navia?

Although children do not have their own Navia accounts, some participants may have added their child’s information — such as name or date of birth — into their accounts to set up recurring Dependent Care Assistance Program (DCAP) claims. Because this information can be stored within a participant’s account, their child’s data could be affected by the incident. As a precaution, Navia is notifying all individuals whose information was included, including parents or guardians of impacted minors, so families are aware and can take precautions if needed.

What can I do to protect my information?

Navia is offering free credit monitoring through Kroll, a contracted incident response provider. In addition, you should watch your bank account, credit cards, and credit report for any suspicious activity. You can also place a freeze or a fraud alert with the three credit bureaus.

Who is Kroll?

Kroll is a global incident response provider with more than 20 years of experience, handling over 3,000 incident response engagements each year. Kroll provides solutions including drafting notifications, operating call centers, and providing monitoring and identity theft protection services.

Was any claims information or my bank account accessed?

At this time, there is no evidence that bank account or claims data were accessed.

Has the breach been fixed?

Yes, it has been contained and resolved.

What is Navia doing to strengthen their security systems?

Navia addressed the incident through targeted security enhancements and governance measures, including:

  • Reinforcing application programming interface (API) authorization testing.
  • Strengthening participant registration and authentication controls (including multi-factor authentication).
  • Applying the strictest security protocols by default whenever the specific impact of data access could not be confirmed.

In addition, provisions were added to the contract between Navia and HCA in 2025 to ensure that PEBB and SEBB subscriber data is deleted each year if the subscriber:

  • Does not elect an FSA or DCAP during open enrollment the year before.
  • Has an FSA or DCAP account that has been inactive for the past eight years.

Who should I call if I have more questions about this incident?

Please call Kroll at 1-844-443-1645, Monday through Friday from 9 a.m. to 6:30 p.m. (Eastern)

We will update this announcement as more information is available.