TL;DR

IBM's 2025 Cost of a Data Breach Report puts the global average breach at $4.44 million, while U.S. organizations face an average of $9.36 million. Organizations using AI-driven security automation saved $2.22 million annually compared to those without. Below are two verified incidents with real dollar amounts—and practical controls your business can implement this week.

The $4.44 Million Wake-Up Call

Data breaches are not theoretical risks happening to someone else. They are cash events that show up in public filings, disrupt payroll, and force CEOs to testify before regulators. If you are a business owner thinking a breach is "an IT problem," look at the check stubs from Change Healthcare and MGM Resorts. The bills land in the CFO's inbox, not the server room.

Case Study 1: Change Healthcare — When $22 Million Is Not Enough

What happened. In February 2024, Change Healthcare—a subsidiary of UnitedHealth Group handling roughly 15 billion healthcare transactions annually—was hit by the ALPHV/BlackCat ransomware operation. Attackers accessed a Citrix portal that was not protected by multi-factor authentication (MFA), moved laterally, encrypted systems, and exfiltrated data. Pharmacy claims processing, eligibility checks, and payment systems halted nationwide.

How bad was it. UnitedHealth paid a reported $22 million ransom. The total financial damage was far worse. In public filings and earnings calls, UnitedHealth disclosed approximately $872 million in direct response costs and business disruption from the incident. Millions of patients had sensitive health data exposed, and independent pharmacies struggled to stay open for weeks.

How it could have been prevented. The initial entry point was a remote access portal without MFA. Basic network segmentation would have limited lateral movement to critical billing and claims databases. Immutable, offline backups would have removed the pressure to negotiate with extortionists.

What your business should do differently this week. Audit every system accessible from the public internet. If it does not have MFA enabled, disable external access today. One unprotected portal is all it takes.

Case Study 2: MGM Resorts — $100 Million Lost to a Phone Call

What happened. In September 2023, MGM Resorts fell to a social engineering attack. The Scattered Spider threat group called the company's IT help desk, impersonated an employee using information from LinkedIn and prior breaches, and convinced staff to reset passwords and bypass MFA. No malware was required—just patience and a convincing phone voice.

How bad was it. Slot machines went dark. Hotel keycards failed. Restaurants could not process payments. The company publicly estimated the total financial impact at roughly $100 million in lost revenue and recovery expenses. Systems were offline for approximately 10 days.

How it could have been prevented. The help desk lacked out-of-band identity verification for high-risk requests like password resets. Privileged access management (PAM) and endpoint detection and response (EDR) were not enough to stop an attacker operating with legitimate credentials.

What your business should do differently this week. Add an out-of-band verification step for all administrative password resets and account changes. A second phone call to a pre-registered manager number—or an in-person verification—costs nothing compared to a week of downtime.

The Hidden Tax: Shadow AI and Sector Cost Creep

Not every breach makes headlines with a named company. IBM's 2025 report found that organizations with high levels of "shadow AI"—employees using unauthorized consumer AI tools for work—faced average breach costs of $4.74 million, roughly $670,000 higher than organizations with strict AI governance. In the healthcare sector, the average cost hit $7.42 million per incident, while the industrial sector averaged $5.56 million.

Attackers are also weaponizing AI. IBM found artificial intelligence was used in 16% of breaches to enhance phishing and deepfake campaigns. The old phishing grammar errors are being replaced by polished, AI-generated messages that bypass human skepticism.

What your business should do differently this week. Scan your network for traffic to consumer AI platforms. Review whether employees are uploading internal documents, source code, or customer data to unmanaged services. Block sensitive data uploads at the DNS or proxy level until you have a governed AI policy.

What Your Business Should Do Differently This Week

Here are four controls that directly address the failures above:

  1. Remote access lockdown. MFA on every VPN, portal, and cloud admin account. No exceptions.
  2. Backup segregation. Ensure your backups are immutable, offline, or in a separate identity domain from your production network.
  3. Help desk hardening. Require out-of-band verification for any credential reset or MFA bypass request.
  4. Shadow AI discovery. Check firewall logs for unexpected AI tool usage and issue a short AI acceptable-use policy.

FAQ

We're a small business—do these numbers apply to us?

The IBM figures are enterprise-weighted, but the pattern scales down. A ransomware attack against an Australian SMB can cost $150,000 to $500,000 in downtime, recovery, and reputational damage. For many small businesses, that is terminal.

What's the fastest way to reduce breach cost?

Detection speed. IBM found breaches identified in under 200 days cost roughly $1 million less than those with longer dwell times. A managed detection and response (MDR) service or basic SIEM pays for itself if it catches one threat early.

Is paying the ransom ever the cheaper option?

No. Change Healthcare paid $22 million and still suffered $872 million in total impact. Payment does not guarantee data deletion, does not restore systems instantly, and may expose you to sanctions liability depending on the threat actor.

How do I stop shadow AI without blocking legitimate productivity?

Focus on data exposure, not keystrokes. Use DNS and firewall logs to identify bulk uploads to consumer AI services.Deploy data loss prevention (DLP) rules that flag files containing customer PII, financial records, or intellectual property. Give employees an approved, governed alternative so they don't need the shadow route.

Conclusion

Change Healthcare and MGM Resorts prove that attackers do not need exotic zero-day vulnerabilities. An unprotected portal and a convincing phone call were enough to cost nearly a billion dollars combined. Meanwhile, IBM's data proves the defenders who invested in automation and governance saved an average of $2.22 million per year.

The gap between surviving a breach and folding under one is not the size of your IT budget. It is the speed of your response plan and the rigor of your basic controls. You do not need a Fortune 500 security stack to avoid becoming a headline. You need MFA, segmented backups, and a help desk that verifies identity before resetting passwords.

Visit consult.lil.business for a free cybersecurity assessment.

References

  1. IBM Cost of a Data Breach Report 2025
  2. ACSC Essential Eight Maturity Model
  3. PurpleSec Average Cost of Ransomware Attacks 2025

TL;DR

  • A company called Navia that helps manage benefits (like health savings accounts) got hacked
  • 2.7 million people's personal information was stolen – including names, birthdays, and Social Security Numbers
  • The hackers had access for 3 whole weeks before anyone noticed
  • This shows why businesses need to be careful about which companies they trust with their data
  • Even if you don't use Navia, your employees might be affected

What Happened?

Imagine you give your house key to a friend so they can feed your cat while you're on vacation. But what if that friend leaves the key under the doormat where anyone can find it?

That's kind of what happened with Navia.

Navia is a company that helps businesses manage employee benefits – things like:

  • Health savings accounts (FSA and HSA)
  • Commuter benefits
  • COBRA services (continuing health insurance after leaving a job)

Over 10,000 companies trust Navia with their employees' personal information [1].

In December 2025, hackers broke into Navia's computers. For three whole weeks – from December 22 to January 15, 2026 – they could look at private information without anyone stopping them [2].

What Did the Hackers Steal?

The hackers took personal information about 2.7 million people [3]:

  • Full names
  • Birthdays
  • Social Security Numbers (like a secret ID number for every person in the US)
  • Phone numbers
  • Email addresses
  • Information about health benefits

Think of it like this: If someone steals your backpack, they might get your homework. But if they steal this information, they can pretend to be you, open credit cards in your name, and cause big problems.

Why This Matters (Even If You've Never Heard of Navia)

Here's the tricky part: You might not know Navia, but they might have information about your employees.

How? Because your employees might have:

  • Used Navia at a previous job
  • A spouse who works for a company that uses Navia
  • Health benefits through a different company that uses Navia

When Navia got hacked, information about your employees could have been stolen – even though your business did nothing wrong.

It's like your friend's house getting burglarized because they left your spare key under the doormat. You didn't do anything wrong, but now the burglar has your key too.

Related: 1 in 4 Data Breaches Now Come Through Your Vendors: What SMBs Must Do Today

The "Supply Chain" Problem

This is called a supply chain breach. Let me explain:

Imagine you buy ingredients for a restaurant. You trust the grocery store to sell you good food. But what if the grocery store's supplier sells them spoiled ingredients? Now your customers get sick – even though you bought from a trusted store.

In business, when you hire another company to do work for you (like manage benefits or process payroll), you're trusting them with your data. If they get hacked, you have a problem too.

According to IBM's 2025 report, when a data breach happens through a third-party vendor, it costs businesses an average of $4.88 million – much more than regular breaches [4].

What Businesses Should Do

If you run a business, here's what you should learn from the Navia breach:

1. Know Who Has Your Data

Make a list of every company that handles your employees' information:

  • Benefits companies (health insurance, FSA, HSA)
  • Payroll companies
  • HR software
  • Any other service that has personal information

You can't protect what you don't know about.

2. Check Their Security

Before trusting a company with important data, ask:

  • "How do you protect this information?"
  • "Have you ever had a breach before?"
  • "What will you do if you get hacked?"
  • "Do you have insurance to help fix problems?"

It's like checking if a babysitter has experience before trusting them with your kids.

3. Have a Backup Plan

What would you do if one of your vendors called and said, "We got hacked, and your employees' data was stolen"?

You should plan this before it happens:

  • Who needs to know? (Employees, customers, maybe even the news)
  • What will you tell them?
  • How will you help fix the problem?

Related: Your Business Got Hacked — Now What? A Step-by-Step Incident Response Guide for SMBs

What Employees Should Do

If you receive a letter saying your information was stolen in the Navia breach:

1. Don't Panic – But Don't Ignore It

Getting a breach letter is scary, but you have time to act carefully. Don't click on links in emails that say "fix your credit now" – those might be scams too.

2. Use the Free Credit Monitoring

Navia is offering free credit monitoring for one year through a company called Kroll [5]. This means they'll watch your credit report and tell you if someone tries to open an account in your name.

You should sign up for this. Your breach notification letter will have a special code to enroll.

3. Freeze Your Credit

This is the strongest protection. A credit freeze means:

  • No one can open new credit cards or loans in your name
  • You can still use your existing credit cards
  • It's free to do
  • You have to contact each of the three credit companies separately

To freeze your credit, contact:

4. Watch Out for Scams

When hackers steal personal information, they use it to trick people.

Be careful of:

  • Emails that know your name or birthday (the hackers stole this info!)
  • Text messages claiming to be from Navia or Kroll
  • Phone calls from people offering to "help" you fix the problem

Real companies will NEVER:

  • Ask for your password in an email
  • Ask you to pay money to fix a breach
  • Demand you act immediately or something bad will happen

If you're not sure if something is real, contact the company directly using their official website or phone number (not the one in the suspicious email).

The Big Lesson

The Navia breach teaches us something important: When you trust someone else with important information, their security becomes YOUR problem.

You can lock all your doors and windows, but if you give a spare key to a company that leaves it under the doormat, a burglar can still get in.

For businesses, this means:

  • Carefully choose which companies you trust with employee data
  • Check their security before giving them access
  • Plan ahead for what you'll do if they get breached

For individuals, it means:

  • Take breach notifications seriously – don't ignore them
  • Use free credit monitoring when it's offered
  • Freeze your credit if your Social Security Number is stolen
  • Watch out for scams that use stolen personal information

What to Do Right Now

If you run a business:

  1. Make a list of all companies that handle your employees' data
  2. Ask them about their security practices
  3. Make a plan for what you'll do if one of them gets breached

If you receive a Navia breach letter:

  1. Enroll in the free credit monitoring (use the code in your letter)
  2. Freeze your credit with all three bureaus
  3. Be extra careful about emails, texts, and phone calls
  4. Check your credit reports regularly for the next year

Security isn't just about locking your own doors. It's about making sure everyone you trust with your keys knows how to keep them safe. lilMONSTER helps businesses protect their employees' data by identifying hidden risks, choosing trustworthy vendors, and planning for supply chain breaches before they happen.

Book a free consultation and let's make sure your business doesn't become the next supply chain breach victim.

FAQ

A supply chain breach happens when hackers attack a company that you do business with (like a benefits provider or payroll company), instead of attacking you directly. When that company gets breached, your data or your employees' data can be stolen – even though you did nothing wrong. It's like your friend's house getting burglarized because they left your spare key under the doormat [1][4].

Even if your business doesn't use Navia, your employees might have FSA, HSA, or COBRA accounts through Navia from previous jobs or through a spouse's employer. When their personal information is stolen, hackers can use it to create very convincing phishing attacks that target your business. Plus, if any of your vendors or business partners use Navia, their breach could affect you too [1][3].

First, don't panic – but don't ignore it. Enroll in the free credit monitoring that Navia is offering (your letter will have a code to sign up). Freeze your credit with all three bureaus (Equifax, Experian, TransUnion) – this is free and prevents anyone from opening new credit in your name. Watch out for scams that use your stolen information to trick you. And check your credit reports regularly for the next year [5].

A credit freeze is like locking a door – nobody can open new credit in your name until you unlock it. A fraud alert is like putting up a sign that says "check ID before letting anyone in" – it tells credit companies to verify your identity, but doesn't completely block new credit. A freeze is stronger protection, but both are free and you should use them if your Social Security Number is stolen [5].

Businesses should: (1) Make a list of every company that handles employee data, (2) Check their security before hiring them (ask about their practices, insurance, and past breaches), (3) Put security rules in contracts (like requiring them to tell you immediately if they're hacked), and (4) Make a plan for what you'll do if a vendor gets breached – so you're not scrambling when it happens [4].

References

[1] Tom's Guide, "2.7 million hit in workplace benefits data breach with full names, dates of birth, SSNs and more exposed — what to do now," March 20, 2026. [Online]. Available: https://www.tomsguide.com/computing/online-security/2-7-million-hit-in-workplace-benefits-data-breach-with-full-names-dates-of-birth-ssns-and-more-exposed-what-to-do-now

[2] BleepingComputer, "Navia discloses data breach impacting 2.7 million people," March 20, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/navia-discloses-data-breach-impacting-27-million-people/

[3] Navia Benefit Solutions, "Notice of Data Breach," March 2026. [Online]. Available: https://www.documentcloud.org/documents/27895002-navia-notice/

[4] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[5] Tom's Guide, "2.7 million hit in workplace benefits data breach," March 20, 2026. [Online]. Available: https://www.tomsguide.com/computing/online-security/2-7-million-hit-in-workplace-benefits-data-breach-with-full-names-dates-of-birth-ssns-and-more-exposed-what-to-do-now

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation