VeriSource Services, a Houston-based provider of employee benefits administration, has confirmed that a cyberattack from February 2024 resulted in the data theft of 4 million individuals — primarily employees and dependents of its client companies.

The breach wasn’t publicly disclosed until recently, and affected parties are just now being notified.

The details provide a clear timeline of how the breach unfolded:

• February 27, 2024: A threat actor exfiltrated data from VeriSource’s systems.
• February 28, 2024: The breach was discovered.
• August 12, 2024: Review of compromised data was completed.
• April 17, 2025: Notification preparations were finalized after coordinating with client companies.
• Late April 2025: Impacted individuals began receiving breach notifications.

The stolen data varies by individual, but in general, includes:

• Full names
• Home addresses
• Dates of birth
• Gender information
• Social Security numbers

All of this data relates to the employee benefits services VeriSource manages — such as enrollment, billing, ACA reporting, dependent verification, and more.

VeriSource reported the breach to the Maine Attorney General’s Office, confirming that 4 million individuals were impacted.

The affected individuals are employees and dependents of organizations that use VeriSource for HR and benefits administration services.

VeriSource says it has no evidence that the stolen data has been misused, but it is offering 12 months of free credit monitoring and identity protection services to those affected.

In its public notice, the company advised impacted individuals to watch their financial accounts closely and report any suspicious activity.

The breach follows a familiar pattern we’ve seen with third-party providers in the HR and benefits space — a delayed discovery, a complex data review process, and a lengthy notification timeline that spans more than a year from the date of the attack.