Beacon Mutual ransomware attack exposed data of 4,500 current and former RI state employees

The personal information of an estimated 132,000 Rhode Islanders was involved in a January cyberattack on Beacon Mutual Insurance, the Warwick-based workers’ comp company revealed this week.

Beacon is the third party vendor that administers the state’s workers compensation insurance policy. Karen Greco, spokesperson for the Rhode Island Department of Administration, told Rhode Island Current in an email Friday that the affected individuals included a few thousand state employees, both past and present.

Beacon, Greco wrote, “informed the State of Rhode Island that they experienced a data breach in January that potentially exposed personal identifiable information that belonged to approximately 4,500 current and former state employees.”

Greco added that the compromised Beacon systems do not connect to state networks, “and at no time were the state’s systems at risk,” she said, adding that Beacon had alerted the state it would notify affected people directly.

Beacon Mutual hit by ransomware attack

“Beacon Mutual regrets any inconvenience this matter may cause and appreciates the patience and understanding of our policyholders, agent partners, and other stakeholders,” Michelle N. Pelletier, Beacon’s assistant vice president of marketing and communications, said in an email Friday.

Pelletier added that, as required by state law, Beacon disclosed the breach to the Office of the Rhode Island Attorney General. The AG’s spokesperson Tim Rondeau confirmed via email Friday that the office received notification on Wednesday.

A state employees union shared with Rhode Island Current a copy of a May 18 notice sent to a state employee. It is largely similar to the notice posted to Beacon Mutual’s website earlier this week, which gives a more precise number of approximately 131,027 Rhode Islanders affected.

Beacon is now a private entity but was originally created with help from the state legislature to help stabilize the workers’ compensation insurance market in 1990. It also provides workers’ comp coverage for private employers who cannot find insurance on the voluntary market. Certain employers may be declined coverage because the risk to insure them is too big. Firms which insure these otherwise uninsured firms are known as an “insurer or last resort,” and Beacon fulfills this role in Rhode Island.

There were about 162,000 people affected in all, Pelletier said, a number which includes people who live outside Rhode Island. Pelletier did not immediately respond with the full list of places affected, but Beacon Mutual’s online notice lists Connecticut, Washington, D.C., Maryland, Massachusetts, New York, North Carolina and West Virginia as possibly affected states.

The company does business primarily in Rhode Island, with additional, smaller operations in Connecticut and Massachusetts.

According to the Beacon Mutual website, the affected data was accessed between Jan. 7 and Jan. 14, 2026, and included files that “contained the first name or first initial and last name along with one or more of: Social Security number, driver’s license number, financial account number, health insurance information and/or medical treatment information.”

The letter further advises recipients to monitor account statements and credit reports, and shares tips on setting up fraud alerts and credit freezes, if needed.

Beacon has also set up a toll‑free call center at 833-918-8448 for individuals who believe they may have been affected but were not reached by mail.

Pelletier added that credit monitoring was offered to “everyone who has a Social Security number or driver’s license number involved.”

Threat actors alleged theft of 275GB

“This was a ransomware attack,” Pelletier reiterated on Friday. “We proactively isolated certain systems to contain the threat.”

The cybercriminal outfit INC Ransom took credit for the attack around Jan. 29 on its dark web leak site, boasting that it hauled off about 275 GB of “highly sensitive internal data.”

The criminal group, according to the Denver-based cybersecurity firm Blackpoint Cyber, first appeared sometime around 2023 and has concentrated most of its efforts in North America. INC has breached a number of high-profile targets in recent years, including the Pennsylvania AG’s office and Stark Aerospace, a contractor for the U.S. Department of Defense. A March 2026 report from Halcyon, a ransomware research outfit, noted that INC has been targeting law firms as of late.

INC Ransom has been observed to use the double extortion method, a two-part approach that begins with a traditional ransomware stratagem — encrypting files on a victim’s network, then demanding payment from victims to unlock the files and make them usable again — followed by data exfiltration, in which criminals rip or copy the data from a victim’s servers and threaten to post it online. That threat also comes attached to a ransom.

“I am not at liberty to discuss the ransom demand,” Pelletier said Friday. “We are not in communication with INC Ransom.”

One lawsuit among many

As is typical for data breaches, the breach has already spurred a class-action suit in Rhode Island Superior Court. The plaintiffs’ attorney is Peter Wasylyk, who’s no stranger to data breach litigation — Wasylyk represented plaintiffs in a class action suit over the RIBridges data breach in 2024.

“Beacon Mutual had the responsibility to safeguard the private, sensitive information entrusted to it. With that responsibility came a duty to protect it,” Wasylyk said in a statement Friday.

In a 2026 review, the Philadelphia-based multinational firm Duane Morris found there were an estimated 1,822 data privacy class action suits filed in 2025, for an average of about 150 filings a month — an increase of around 18% from the previous year, and up more than 200% since 2022.

But volume does not equal success, the Duane Morris report found, as “plaintiffs often have difficulty demonstrating that they suffered concrete harm.” Very few cases reached the ruling stage on class certification, which is when a judge decides if claims can be expanded to represent an entire class action.

In 2025, courts ruled on only three motions for class certification over data breaches, the report reads, and plaintiffs prevailed only in one case.

Still, even sans class certification, the cases can still prove pricey if settled: The top 10 settlements accounted for $515.79 million in 2025, according to Duane Morris, which it called “a slight decrease over 2024, when the top 10 data breach class actions totaled $593.2 million.”