On or about October 6, 2025, Milliman Financial Risk Management (“Milliman FRM”) detected unauthorized access to its data by an external actor on September 25, 2025. The intrusion occurred on a Milliman FRM server that was not connected to the rest of Milliman FRM’s network. The unauthorized party only had access for a few minutes before detection. Milliman FRM immediately isolated and secured the system, initiated a designed shutdown, and implemented its disaster recovery protocols.
Milliman FRM reports that backup data and recovery plans worked as intended, and operations were restored within three days. According to Milliman FRM, the exposed data consisted of operational data and did not include any Personally Identifiable Information (PII). However, any unauthorized access to sensitive systems poses a significant cybersecurity risk.
Milliman FRM, an international actuarial and consulting firm headquartered in Seattle, Washington, was founded in 1947 by Wendell Milliman and Stuart A. Robertson. The firm, which provides services in employee benefits, healthcare, and insurance, operates 59 offices globally and employs over 3,000 people. Owned and managed by roughly 350 principals, Milliman FRM offers data analysis and predictive analytics.
Following the incident, Milliman FRM took steps to secure its systems and continues to monitor for any potential misuse. If you received a Data Breach notification letter from Milliman, it confirms that your information may have been involved in this incident.
What information is involved in the Milliman FRM Data Breach?
Compromised information may include:
Clients’ Financial Portfolios
Account Balances and Transers
Internal Operating Files
Financial and Accounting Files
Contracts, Agreements, Projects, etc.
Your Personally Identifiable Information (PII) includes details that can be used to identify you. Organizations are legally obligated to safeguard this data, and failure to do so can result in statutory fines and other legal consequences. If PII is stolen, it may be exploited by criminals to commit identity fraud.
A specific category of PII is Protected Health Information (PHI), which pertains to personal medical data. PHI is safeguarded under both federal and state regulations. Entities such as healthcare providers and businesses that manage PHI must ensure its security. Just like PII, compromised PHI can be misused by identity thieves, and it’s common for cybercriminals to use both types of information together.
If your data has been exposed in a breach, one of the most effective steps you can take is to enroll in credit and identity monitoring services promptly.
Residents of California benefit from additional privacy protections under the California Consumer Privacy Act (CCPA), which grants enhanced rights regarding personal data. Additionally, California residents also benefit from medical privacy protections under the Confidentiality of Medical Information Act (CMIA), which specifically grants enhanced protections for confidential medical data.
If you received a NOTICE OF DATA BREACH letter from Thompson & Horton, your personal, financial, and/or medical information may be at risk. This type of data can be exploited by identity thieves to commit fraud and other crimes.
Contact the Privacy Breach Attorneys at Emery | Reddy today for a Free Case Review.