McElroy & Associates Suffers Data Breach Exposing PII and PHI of 6,633 Individuals
McElroy & Associates, Inc. disclosed a data breach affecting 6,633 individuals in the U.S., exposing personally identifiable information (PII) and protected health information (PHI). The breach was reported to the U.S. Department of Health and Human Services on October 17, 2025, after suspicious activity was detected in an employee’s email account on May 30, 2025.
An investigation revealed that an unauthorized actor accessed emails between May 28 and May 30, 2025, compromising sensitive data, including names, addresses, Social Security numbers, dates of birth, driver’s license numbers, financial account details, medical records, health insurance information, and login credentials. By September 3, 2025, the company completed its analysis and began notifying affected individuals via mail, while also posting a Notice of Data Security Event on its website.
In response, McElroy & Associates secured its email systems, conducted a thorough investigation, and implemented measures to mitigate further risk. A dedicated helpline (833-866-9545) was established for affected individuals seeking assistance.
Source: https://www.claimdepot.com/data-breach/mcelroy-associates-2025
GMA (George McElroy & Associates, Inc.) cybersecurity rating report: https://www.rankiteo.com/company/george-mcelroy-&-associates-inc-gma-
"id": "GEO1765824401",
"linkid": "george-mcelroy-&-associates-inc-gma-",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '6,633',
'location': 'U.S.',
'name': 'McElroy & Associates, Inc.',
'type': 'Company'}],
'attack_vector': 'Compromised Employee Email Account',
'customer_advisories': 'Dedicated help line at 833-866-9545, available from 8 '
'a.m. to 8 p.m. ET',
'data_breach': {'number_of_records_exposed': '6,633',
'personally_identifiable_information': ['Names',
'Addresses',
'Social Security '
'numbers',
'Dates of birth',
'Driver’s license '
'numbers',
'Financial account '
'details',
'Health insurance '
'information',
'Usernames with '
'passwords'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)']},
'date_detected': '2025-05-30',
'date_publicly_disclosed': '2025-10-17',
'description': 'McElroy & Associates, Inc. experienced a significant data '
'breach that exposed the personally identifiable information '
'(PII) and protected health information (PHI) of 6,633 '
'individuals in the U.S. An unauthorized actor gained access '
'to certain emails containing sensitive information.',
'impact': {'data_compromised': 'PII and PHI of 6,633 individuals',
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': 'Employee email accounts'},
'initial_access_broker': {'entry_point': 'Employee email account'},
'investigation_status': 'Completed',
'recommendations': ['Carefully review any notice or communication from '
'McElroy & Associates or your provider.',
'Monitor financial accounts and credit reports for signs '
'of identity theft.',
'Consider placing fraud alerts or credit freezes with the '
'major credit bureaus.',
'Be cautious of unsolicited emails or phone calls '
'requesting personal information.'],
'references': [{'source': 'McElroy & Associates Notice of Data Security '
'Event'}],
'regulatory_compliance': {'regulatory_notifications': 'U.S. Department of '
'Health and Human '
'Services'},
'response': {'communication_strategy': 'Notice of Data Security Event on '
'website, mailed notifications',
'containment_measures': 'Secured email environment',
'incident_response_plan_activated': 'Yes',
'recovery_measures': 'Notification of affected individuals, '
'dedicated help line',
'remediation_measures': 'Comprehensive investigation, review of '
'impacted information'},
'threat_actor': 'Unauthorized Actor',
'title': 'McElroy & Associates Data Breach',
'type': 'Data Breach'}