Teamsters Union 25 Benefit Plan Breach Exposes Member Data in Network Intrusion

Teamsters Union 25 Health Services & Insurance Plan (HSIP) disclosed a data breach on September 3, 2025, after identifying unauthorized access to its network on August 1, 2025. The Maine Attorney General filing reports 13 affected Maine residents, with compromised data including names, Social Security numbers, dates of birth, and addresses. The affected individuals span two related entities: 6 were associated with the Teamsters Union 25 Health Services & Insurance Plan, and 7 with the Teamsters Local 25 Investment Plan.

The small record count belies a more significant story. Union benefit plans hold some of the most sensitive financial and health data in the labor ecosystem -- member SSNs, retirement account balances, health claims history, and beneficiary designations. When these plans get breached, the exposed data cuts across financial, health, and employment dimensions simultaneously.

Timeline: Detection to Notification in 33 Days

August 1, 2025: HSIP identified potential unauthorized access to its network. The notification states that HSIP "took immediate steps to isolate and secure its network and engaged third-party specialists to assist with containing and investigating the activity." Same-day detection and response suggests either active monitoring flagged the intrusion or the attack caused visible disruption.

August 1 to August 18, 2025: HSIP's investigation confirmed that "certain data within its network was accessed and potentially copied without authorization." The "potentially copied" language is significant -- it indicates possible data exfiltration, not just unauthorized viewing. During this period, HSIP also reviewed the compromised data to identify affected individuals and determine which data elements were involved.

August 18, 2025: HSIP completed its review and identified 13 Maine residents as potentially impacted. The 17-day turnaround from detection to completed review is fast -- much faster than the industry average. For comparison, the NAHGA Claims Services breach took six months from detection (April 10) to completing its data review (October 17).

September 3, 2025: HSIP mailed notification letters to affected individuals, 33 days after detecting the breach and 16 days after completing its review. This comfortably satisfies Maine's 30-day notification requirement from the determination date.

The 33-day total timeline from detection to notification stands out as unusually fast for a financial services breach. The Verizon 2024 DBIR found that most breaches take weeks to detect and months to disclose. HSIP's quick turnaround may reflect the small scope of the breach, a well-prepared incident response plan, or both.

What Data Was Exposed

The Maine AG filing identifies four categories of compromised personal information:

• Names -- baseline for all social engineering and targeted phishing attacks
• Social Security numbers -- the foundation for identity fraud, tax refund fraud, and new account openings
• Dates of birth -- combined with SSN, provides the full identity package needed for most verification processes
• Addresses -- enables mail interception fraud and physical social engineering

The exposed data covers members of two related Teamsters Local 25 benefit entities. The Health Services & Insurance Plan (6 affected) holds medical and insurance-related data. The Investment Plan (7 affected) holds retirement and financial account data. The notification does not specify whether additional data types beyond the four listed above were involved for either group, but the underlying plan records would typically include health claims, contribution histories, and beneficiary information.

For union members, the exposure of SSN and DOB from a benefit plan is particularly concerning because the same SSN is the key identifier across all of their plan-related accounts -- health insurance, retirement savings, life insurance, and disability coverage. A single SSN exposure can put all of these at risk.

How the Attack Happened

The filing describes "unauthorized access" to HSIP's network without specifying the attack vector. The data was "accessed and potentially copied without authorization" -- language that indicates the attacker had sufficient network access to reach data stores containing member information.

Union benefit plan administrators are attractive targets for the same reason insurance intermediaries are: they aggregate sensitive personal data from a defined population into centralized systems. A Teamsters local with thousands of members has health, retirement, and insurance records for every one of them, often managed by a small administrative staff with limited cybersecurity resources.

The attack on HSIP shares characteristics with other small financial services breaches we have tracked. The Batchelder Bros. Insurance breach, disclosed in August 2025, involved a network intrusion at a small insurance agency that exposed SSNs, financial accounts, and driver's licenses. The Chalmers Insurance Group breach in October 2025 followed a similar pattern -- a multi-day network intrusion at an insurance broker that compromised member data. These incidents share a common profile: small organizations with high-value data and limited security infrastructure.

HSIP uses Cyberscout (a TransUnion subsidiary) for credit monitoring services, which is a standard vendor for breach response. The single-bureau credit monitoring offering -- rather than the three-bureau monitoring provided in larger breaches -- reflects the smaller scope and budget of this incident.

Who Is Affected

The 13 affected Maine residents represent a subset of the total breach population; the Maine AG filing only covers Maine residents, and the actual total may be higher. Teamsters Local 25 is based in the Boston area and primarily represents workers in freight, moving, warehouse, and related industries across New England. The affected members are likely current or former participants in the union's health insurance and retirement plans.

The notification identifies 106 Rhode Island residents as separately impacted -- mentioned in the Rhode Island-specific disclosure language at the end of the notification letter. Combined with the 13 Maine residents, the total confirmed affected population is at least 119 individuals across two states, with the total potentially higher when accounting for Massachusetts and other New England states where Teamsters Local 25 operates.

Regulatory and Legal Implications

Union benefit plans operate under a dual regulatory framework that creates unique compliance obligations.

ERISA: As employee benefit plans, both the Health Services & Insurance Plan and the Investment Plan are governed by the Employee Retirement Income Security Act. The Department of Labor's cybersecurity best practices for ERISA plans, issued in 2021, require plan fiduciaries to prudently select and monitor service providers, ensure cybersecurity practices are in place, and respond to cybersecurity incidents. While the DOL guidance is framed as best practices rather than binding regulation, fiduciaries who ignore it face potential liability under ERISA's prudent expert standard.

State insurance regulation: The health plan component is subject to state insurance laws, including the NAIC Insurance Data Security Model Law in states that have adopted it. Massachusetts, where Teamsters Local 25 is headquartered, adopted a version of the model law requiring insurance licensees to implement comprehensive information security programs.

State breach notification laws: Maine's 30-day notification requirement (10 M.R.S. Section 1348) was met. Rhode Island's breach notification statute requires notification within 45 days of confirmation. Massachusetts requires notification "as soon as practicable and without unreasonable delay."

The intersection of ERISA fiduciary duties and cybersecurity is an evolving area. The DOL has signaled through enforcement actions and guidance that plan administrators who fail to implement adequate cybersecurity controls may be breaching their fiduciary duties. For union-sponsored plans, the plan trustees -- typically union officials and employer representatives -- bear this fiduciary responsibility. A breach that exposes member SSNs and financial data could trigger DOL scrutiny of the plan's cybersecurity practices and vendor management.

The Bigger Picture

Union benefit plans represent an underexamined category of financial data custodians. They hold the same sensitive data as banks and insurance carriers -- SSNs, account numbers, health records, beneficiary information -- but operate with smaller administrative budgets and less regulatory oversight of their cybersecurity practices.

Our breach tracker shows that insurance-adjacent entities have been disproportionately targeted in 2025. The Decisely Insurance Services breach exposed 113,984 records across 225+ employer plans. The Cove Risk Services breach compromised 49,385 workers' compensation records. The NAHGA Claims Services breach affected 5,072 individuals through an insurance intermediary. Each of these entities sits at a nexus of data relationships -- holding information on behalf of plan sponsors, carriers, and individual members -- and each breach demonstrates that the security of the entire chain depends on the weakest administrative link.

The DOL's 2021 cybersecurity guidance for ERISA plans was a first step, but the enforcement mechanism remains unclear. The Government Accountability Office (GAO) has recommended that the DOL strengthen its oversight of plan cybersecurity, including developing specific regulatory requirements rather than relying on voluntary best practices. Until that happens, union benefit plans and other ERISA fiduciaries face an environment where the standard of care is defined more by litigation outcomes than by clear regulatory mandates.

The FS-ISAC (Financial Services Information Sharing and Analysis Center) provides threat intelligence and best practices to its financial institution members, but union benefit plans rarely participate in these sharing arrangements. That gap leaves plan administrators without the early warning signals that help larger financial institutions detect and prevent attacks.

Action Items

For affected members:

1. Enroll in Cyberscout monitoring using the code from your notification letter. The service includes single-bureau credit monitoring and fraud assistance.

2. Place a credit freeze with all three bureaus (Equifax, Experian, TransUnion). With SSN and DOB exposed, a freeze is the most effective defense against new account fraud. Freezes are free and can be temporarily lifted when you need to apply for credit.

3. Monitor your benefit plan accounts directly. Check your health plan for unfamiliar claims and your investment plan for unauthorized transactions or address changes. Contact the plan administrator if anything looks wrong.

4. File an IRS Identity Protection PIN at irs.gov/ippin to prevent tax refund fraud using your compromised SSN.

For union benefit plan administrators:

5. Review your DOL cybersecurity compliance. The 2021 guidance requires plan fiduciaries to have documented cybersecurity practices, conduct risk assessments, and manage service provider security. If your plan lacks a written information security program, that should be the first priority.

6. Segment plan data from general administrative systems. Member SSNs, health claims, and financial records should not be accessible from the same network segment as email and general office systems.

7. Implement multi-factor authentication on all systems that access plan data. MFA is specifically called out in the DOL's cybersecurity guidance as an expected control.

8. Establish incident response procedures before an incident occurs. HSIP's 33-day notification timeline demonstrates what is possible with a prepared response plan. Ensure your plan includes pre-identified forensic vendors, breach counsel, and notification logistics.