IOA Breach: Phishing Attack Exposes 12,913 After 200-Day Delay

Insurance Office of America, Inc. (IOA), a major insurance intermediary based in Longwood, Florida, has disclosed a data breach affecting 12,913 individuals. The breach originated from a phishing email that gave an attacker access to IOA's network for five days between June 25 and June 30, 2025. IOA discovered the intrusion on June 30, the same day the unauthorized access window closed. But the company did not begin notifying affected individuals until January 16, 2026 -- a 200-day gap between discovery and disclosure that stands out even in an industry accustomed to slow-moving breach notifications.

The filing with the Maine Attorney General identifies IOA as providing services to insurance carriers, health plans, and employers. That intermediary role places IOA at the center of data flows between insurers and their customers, making this breach a third-party risk event for every organization in IOA's client chain. CIO John Woods signed the notification letter, and the company retained Jennifer Urban, a partner at Foley & Lardner, as legal counsel -- a signal that IOA is preparing for regulatory scrutiny and potential litigation.

Timeline of Events

The five-day intrusion window is narrow by breach standards, but the notification timeline is anything but.

June 25, 2025: An unauthorized individual gained access to IOA's network after an employee responded to a phishing email. The attacker maintained access through the employee's compromised credentials or through lateral movement within the environment.

June 30, 2025: IOA detected the unauthorized access and terminated it. The company states it immediately launched an investigation and engaged external cybersecurity experts to determine what data may have been accessed.

June 30, 2025 -- January 16, 2026: A 200-day gap during which IOA conducted what it describes as a "time-intensive data analysis and approval process." The notification letter explains that the delay was partly attributable to needing "IOA Customers' approval" before notifying affected individuals. Because IOA acts as an intermediary processing data on behalf of carriers and employers, it apparently could not notify individuals without first obtaining sign-off from the upstream clients who own those relationships.

January 16, 2026: IOA filed breach notifications and began mailing letters to affected individuals. The filing states that notification was not delayed as a result of law enforcement investigation.

The 200-day timeline is significant. While some delay for forensic analysis and data review is standard, six and a half months pushes the boundaries of what most state notification statutes consider reasonable. The multi-party approval chain highlights a structural problem in the insurance intermediary model: when a middleman holds the data, nobody moves quickly.

What Data Was Exposed

The notification letter uses template variables for the specific data types exposed, listing "name and <<Variable data 1>>" as the compromised information per individual. This templated approach means different people had different categories of data accessed, depending on which files the attacker reached and which IOA client's data those files contained.

IOA is offering affected individuals 24 months of credit monitoring through Epiq, including Social Security number monitoring and identity restoration. Companies do not offer SSN-specific monitoring unless SSNs were exposed. The credit monitoring package strongly indicates that Social Security numbers were compromised for at least a subset of the 12,913 affected individuals.

Given IOA's role servicing insurance carriers, health plans, and employers, the files accessed during the five-day window likely contained names, Social Security numbers, dates of birth, contact information, policy numbers, health plan enrollment data, and employment records. Insurance intermediaries handle the administrative plumbing of the insurance industry -- enrollment, claims processing, benefits administration -- and that plumbing runs on personal identifiers.

The variable-by-individual exposure pattern also complicates the risk picture for affected people. Some may have had only a name and address accessed, while others may have had their full SSN, date of birth, and health plan information exposed. Without knowing which category you fall into, the prudent response is to assume the worst.

How the Attack Happened

The attack vector was phishing. An employee at IOA received a malicious email, interacted with it, and that interaction gave the attacker a foothold in IOA's network. From that initial compromise on June 25, the attacker maintained access for five days until detection on June 30. Whether the attacker used the compromised email account as a pivot to access file shares, databases, or other systems is not specified in the filing. But five days of network access is enough time to enumerate internal resources, locate sensitive data stores, and exfiltrate files -- particularly if the initial compromise gave the attacker access to an account with broad permissions.

Phishing remains the leading initial access vector in the insurance and financial services sectors. The Ameriprise Financial Services breach, disclosed to Maine in January 2026, also originated from a phishing-related compromise affecting 598 individuals. The Texana Bank breach, filed around the same time, similarly traced back to phishing as the initial vector, with 1,324 records exposed. IOA's incident at 12,913 records represents a significantly larger yield from the same fundamental attack technique.

The difference in outcomes often comes down to what the phished account had access to. An employee credential that opens the door to a single mailbox produces a contained breach. A credential that grants access to shared drives, CRM systems, or benefits administration platforms produces the kind of broad, variable-data exposure IOA is now disclosing.

Who Is Affected

The 12,913 affected individuals are spread across IOA's client base of insurance carriers, health plans, and employers. The Maine AG filing identifies 15 Maine residents among the total, but the population extends nationally, reflecting IOA's role as a large-scale insurance services intermediary.

Because IOA operates as a middleman rather than a direct-to-consumer insurer, the affected individuals may not have had any direct relationship with IOA itself. They are employees enrolled in health plans that IOA administered, policyholders whose data IOA processed on behalf of a carrier, or benefits participants whose records passed through IOA's systems. Many may not have known IOA's name before receiving the breach notification letter.

This is the third-party risk problem in its most direct form. Individuals entrusted their data to an employer or insurer, that entity delegated processing to IOA, and IOA's security failure became their exposure. The approval chain that caused the 200-day delay underscores just how many layers sit between the person whose data was stolen and the organization that failed to protect it.

Regulatory and Legal Implications

The 200-day notification delay is the most legally consequential aspect of this breach. State breach notification laws vary, but the trend over the past five years has been toward shorter, more explicit notification deadlines.

Maine's statute (10 M.R.S. Section 1348) requires notification "as expediently as possible and without unreasonable delay," with a hard cap of 30 days after the entity determines that a breach has occurred. Florida, where IOA is headquartered, requires notification within 30 days of determination under Fla. Stat. Section 501.171. Multiple other states have adopted 30- to 60-day windows. IOA's explanation that the delay resulted from needing client approval before notifying individuals may not satisfy regulators who view notification obligations as running from the date the data holder determines a breach occurred, not from the date all business partners agree on a communication plan.

The Gramm-Leach-Bliley Act applies to IOA's operations as a financial services intermediary. GLBA's Safeguards Rule requires covered entities to develop, implement, and maintain a security program appropriate to the size and complexity of the institution and the sensitivity of the customer information it handles. A phishing-induced network compromise that persists for five days raises questions about email security controls, network segmentation, and access management -- all elements the Safeguards Rule addresses.

The NAIC Insurance Data Security Model Law, now adopted in more than 20 states, imposes direct obligations on insurance licensees including intermediaries like IOA. Section 5 requires a written information security program, and Section 6 mandates notification to the state insurance commissioner within 72 hours of a cybersecurity event. Whether IOA met that 72-hour requirement in the states where it holds insurance licenses is an open question.

The engagement of Foley & Lardner as breach counsel signals IOA's expectation of regulatory inquiries, demand letters, or class action litigation. Plaintiffs' attorneys have been increasingly active in filing suits over delayed breach notifications, arguing that the delay itself constitutes a separate harm by depriving individuals of the opportunity to take protective action sooner.

The Bigger Picture

IOA's breach fits a pattern building across the insurance sector throughout 2025 and into 2026. Insurance intermediaries, administrators, and service providers have become high-value targets because they sit at the intersection of multiple data streams. A single intermediary may hold data from dozens of carriers, hundreds of employer groups, and tens of thousands of enrollees. Compromising one intermediary is more efficient than attacking each insurer individually.

Our breach tracker shows a cluster of insurance-sector incidents in recent filings. Continental Casualty Company (CNA) disclosed a breach affecting 5,875 policyholders through a vendor compromise. The Gravity Payments breach exposed 2,278 records through a third-party CRM vulnerability. As we detailed in our CNA Continental Casualty breach analysis, vendor and intermediary compromises are becoming the dominant breach pattern in the financial services sector -- not because these organizations are uniquely careless, but because they aggregate exactly the kind of data attackers seek.

The phishing vector continues to outpace technical defenses. The FBI's Internet Crime Complaint Center (IC3) reported that phishing was the most common cybercrime type by volume in its most recent annual report, with financial services among the most targeted industries. The Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to implement phishing-resistant multi-factor authentication, particularly FIDO2-based hardware tokens, rather than relying on email filtering alone.

For insurance intermediaries, the lesson from IOA's breach is operational: the multi-party data relationships that define the intermediary model create multi-party notification obligations, and those obligations need to be defined in contracts before an incident occurs, not negotiated in the aftermath. A 200-day notification delay driven by client approval processes is a governance failure, not a technical one.

Action Items

For affected individuals:

1. Enroll in the 24-month credit monitoring offered through Epiq before the enrollment deadline in your notification letter. The service includes SSN monitoring and identity restoration.

2. Place a security freeze with Equifax, Experian, and TransUnion. This is the single most effective step against new account fraud. Freezes are free and can be lifted temporarily when you need to apply for credit.

3. Request an IRS Identity Protection PIN at irs.gov/ippin if your Social Security number was among the exposed data types. This prevents fraudulent tax returns filed under your SSN.

4. Monitor health insurance explanation of benefits (EOB) statements for claims you do not recognize. If IOA held your health plan enrollment data, medical identity theft is a real risk.

5. File a report with the FTC at identitytheft.gov if you discover any misuse. This generates a personalized recovery plan and creates an official record.

For insurance carriers, health plans, and employers using intermediaries:

6. Audit your intermediary's security controls against NAIC Model Law and GLBA Safeguards Rule standards. Verify that the intermediary has deployed phishing-resistant MFA, email authentication protocols (DMARC, DKIM, SPF), and network segmentation that limits lateral movement from a compromised endpoint.

7. Define notification timelines in your service agreements. Contracts should specify maximum notification windows -- 30 days from breach determination, aligned with the strictest applicable state law -- and should not condition individual notification on the client's approval.

8. Inventory what data your intermediaries hold. If your intermediary is processing SSNs, health information, or financial records on your behalf, confirm that data minimization principles are in place. Does the intermediary need to retain that data after the immediate processing task is complete?

9. Update your own incident response plan to account for intermediary breach scenarios. When your intermediary is breached, your policyholders and employees are the ones receiving notification letters with your data in them. Your communications team needs a playbook for that situation.