RMS Breach Exposes 22,300 Workers' Comp Claimants After Subcontractor Failure

Risk Management Services, LLC (RMS), a third-party administrator providing workers' compensation claim services, disclosed a data breach affecting 22,300 individuals after an unauthorized person gained access to its systems through a remote connection. The filing with the Maine Attorney General on September 2, 2025, identifies the root cause bluntly: "a subcontractor's failure to follow established security protocols." The exposed data includes Social Security numbers, dates of birth, residential addresses, and medical information related to workplace injuries -- a combination that creates simultaneous risks across financial identity fraud and medical identity theft.

RMS provides administrative services on behalf of LCTA Mutual Holding Company and LCTA Casualty Insurance Company (operating as LCTA Workers' Comp). The affected individuals are workers' compensation claimants whose injury claims were processed through RMS's systems. For these individuals, the breach exposes not just their financial identities but their medical histories -- information that cannot be changed or reissued like a credit card number.

Timeline of Events

Date of unauthorized access: The notification letter does not specify the exact date of the intrusion, but the breach database records indicate the incident occurred around February 23, 2025.

Discovery: RMS states it "immediately contained the breach and launched a thorough investigation" upon discovery. The database records suggest discovery around June 19, 2025 -- a gap of approximately four months between the unauthorized access and detection. If accurate, this detection timeline is concerning for a remote access compromise, which should be identifiable through access logs and anomaly detection.

September 2, 2025: RMS files the breach notification with the Maine Attorney General and begins mailing notification letters to affected individuals. The total elapsed time from incident to notification is approximately six to seven months.

The notification letter, signed by Jean L. Robért of RMS, states the company engaged cybersecurity experts, assessed the scope of unauthorized access, notified the FBI, and implemented additional safeguards. The FBI notification suggests RMS views this as a criminal intrusion rather than accidental data exposure.

What Data Was Exposed

The compromised files contained five categories of personal information:

Social Security numbers -- the primary identifier for financial identity theft, tax fraud, and synthetic identity creation
Dates of birth -- combined with SSN, provides the complete profile needed to open financial accounts
Residential addresses -- enables targeted phishing, mail fraud, and address change schemes
Full names -- completes the identity profile
Medical information related to workplace injuries -- workers' comp claim data including injury type, treatment details, and disability assessments

The notification explicitly excludes financial account numbers, credit cards, and debit cards from the compromised data. This is a meaningful distinction: the breach is not a financial account takeover risk. It is an identity theft and medical identity theft risk.

Medical identity theft is particularly insidious. A stolen SSN can be used to obtain medical care, prescription drugs, or submit fraudulent insurance claims under the victim's identity. The contamination of medical records can lead to incorrect treatment decisions if the victim's records are mixed with the fraudster's health data. Unlike financial fraud, medical identity theft is difficult to detect -- victims often discover it only when they receive unexpected medical bills or when their insurance claims are denied due to exhausted benefits.

How the Subcontractor Breach Happened

RMS's notification is unusually direct about the cause: "an unauthorized individual gained access to our systems via a remote connection. This occurred due to a subcontractor's failure to follow established security protocols."

This language tells a specific story. RMS maintains remote access capabilities -- standard for a third-party administrator that needs to connect to carrier systems, medical provider networks, and state workers' comp boards. A subcontractor with remote access credentials failed to follow the security protocols governing that access. The most likely scenarios:

Shared or reused credentials: The subcontractor used credentials that were exposed in another breach, or shared credentials with unauthorized individuals
Disabled MFA: The subcontractor bypassed or failed to enable multi-factor authentication on a remote access session
Unsecured endpoint: The subcontractor accessed RMS systems from a compromised or unmanaged device, providing the attacker a path into the environment
Exposed remote desktop or VPN: The subcontractor misconfigured a remote access tool (RDP, VPN, or remote management software) that was then discovered and exploited by an attacker

The specificity of "failure to follow established security protocols" indicates that RMS had documented security requirements for remote access that the subcontractor violated. This creates a chain of accountability: RMS established the protocols, the subcontractor failed to follow them, and 22,300 workers' comp claimants are paying the price.

This pattern mirrors what happened in the Velocity Risk Underwriters breach, where a third-party vendor (WaterStreet) was compromised and exposed policyholder data. The common thread: insurance companies and their administrators rely on chains of subcontractors and vendors, and a single weak link in that chain can expose the entire client population.

Who Is Affected

The 22,300 affected individuals are workers' compensation claimants whose claims were administered by RMS on behalf of LCTA Workers' Comp. These are people who filed workplace injury claims -- they provided their SSNs, dates of birth, and medical details as required by the workers' compensation process. They had no choice in sharing this data and no direct relationship with RMS.

LCTA Casualty Insurance Company is a workers' compensation insurer. The notification letter emphasizes that "this applies only to the data that RMS holds for LCTA" and that "there is no indication that LCTA's systems have been impacted." This distinction matters for regulatory purposes -- LCTA itself was not breached -- but it provides no comfort to the 22,300 individuals whose data was stored on an RMS system that a subcontractor's negligence left exposed.

Regulatory and Legal Implications

Workers' compensation regulatory framework: Workers' comp data is subject to state insurance regulations and often carries additional protections because it includes medical information. State insurance commissioners who oversee workers' compensation insurers will want to understand how LCTA's third-party administrator allowed subcontractor-related unauthorized access. The breach may trigger examination scrutiny for both RMS and LCTA.

HIPAA considerations: While workers' compensation claims are generally exempt from HIPAA's privacy and security rules, the medical information in this breach -- injury-related treatment data -- may still be subject to state medical privacy laws. Several states extend medical privacy protections beyond HIPAA's scope, and the presence of medical data in the notification raises the compliance stakes.

State breach notification requirements: The filing covers Maine residents, but RMS's operations as a workers' comp administrator likely span multiple states. Each state has its own breach notification requirements, and the presence of medical data may trigger additional notification obligations in states that have expanded their breach notification statutes to cover health information.

Vicarious liability: RMS explicitly attributes the breach to a subcontractor's failure. This creates a layered liability chain: the subcontractor's negligence caused the breach, RMS is responsible for its subcontractor's actions, and LCTA selected RMS as its administrator. Plaintiffs' attorneys in a class action would target all three parties, arguing that LCTA failed to adequately oversee its administrator and that RMS failed to enforce its security protocols with its subcontractors.

FBI involvement: The notification states RMS reported the incident to the FBI. Bureau involvement typically indicates a criminal investigation -- either into the unauthorized access itself or into a broader campaign targeting workers' comp administrators or insurance TPAs.

The Insurance TPA Security Problem

Third-party administrators sit at a particularly vulnerable point in the insurance data supply chain. They handle sensitive claim data -- SSNs, medical records, financial information -- on behalf of carriers, but often operate with smaller security budgets and less mature security programs than the carriers they serve.

The subcontractor problem amplifies this risk. TPAs routinely engage subcontractors for specialized functions: independent medical examinations, pharmacy benefit management, data entry, and IT support. Each subcontractor with remote access is an additional entry point into the TPA's environment. According to FinSecLedger's breach tracker, third-party and vendor-originated breaches consistently account for a significant share of insurance sector incidents.

The Decisely Insurance Services breach, which exposed 113,984 records through a cloud storage compromise at a benefits brokerage, and the CNA Continental Casualty breach, where vendor Conduent's hack exposed CNA policyholder data, illustrate the same structural problem. Insurance data flows through complex chains of carriers, administrators, and vendors -- and attackers consistently target the weakest link.

The NAIC Insurance Data Security Model Law, adopted by a growing number of states, requires licensees to oversee their third-party service providers' information security practices. But enforcement has been inconsistent, and many TPAs operate below the regulatory radar because they are not themselves licensed insurers. RMS's breach may accelerate regulatory attention to TPA security standards, particularly around subcontractor access controls.

Action Items for Financial Institutions

For affected individuals: Activate the complimentary ID theft and credit monitoring through Epiq Privacy Solutions using the activation code in your notification letter. Because medical information was exposed, also request a copy of your medical records from any providers who treated your workers' comp injury and check for unfamiliar entries. Contact your health insurance carrier to set up alerts for claims filed under your identity.
For workers' comp carriers using TPAs: Request an immediate cybersecurity assessment from every TPA that handles your claim data. Specifically ask about remote access controls, subcontractor management, and MFA enforcement. Require TPAs to provide a current list of all subcontractors with remote access to systems containing your claimant data.
For TPA security teams: Audit all subcontractor remote access immediately. Implement or enforce phishing-resistant MFA (FIDO2/WebAuthn) for all remote access sessions. Deploy privileged access management (PAM) tools that log, monitor, and time-limit subcontractor sessions. Segment networks so that subcontractor access is limited to the specific systems and data required for their function.
For compliance and legal teams: Review your TPA agreements for subcontractor security requirements. Ensure contracts include: mandatory MFA, access logging, regular security assessments, incident notification within 24-48 hours, and the right to audit the TPA's subcontractor management. The RMS breach demonstrates that having "established security protocols" is insufficient without enforcement mechanisms and monitoring.
For state insurance regulators: This breach highlights the TPA oversight gap. Workers' comp carriers are regulated; their TPAs often are not -- at least not with the same rigor. Consider whether TPA-specific cybersecurity examination procedures are needed, particularly around remote access governance and subcontractor management, given the sensitivity of workers' comp claim data.