Yesterday was a bad day for your data.
On March 17, 2026, two separate companies filed breach notifications: CorVel Corporation, one of the largest workers’ compensation managed care organizations in the country, and Lena Health, a patient engagement platform used by healthcare providers across the U.S. Two different companies. Two different industries. Same result — your personal data, potentially including your Social Security number, is now in someone else’s hands.
If you’ve ever filed a workers’ comp claim, visited a healthcare provider that uses Lena Health, or had a family member covered under workers’ comp, your information may be part of these exposures. And with tax season in full swing right now, the window for criminals to weaponize that data against your credit is wide open.
CorVel Corporation: Workers’ compensation managed care. Data potentially includes claimant names, SSNs, dates of birth, injury details, and employer information. CorVel processes claims for thousands of employers nationally.
Lena Health: Patient engagement and care coordination platform. Data potentially includes patient names, contact information, health identifiers, and account credentials. Used by clinics and health networks across the country.
Why this hits different during tax season
Most people think identity theft means someone opens a credit card in your name. But the fastest-growing identity crime right now is employment identity theft — where criminals use your SSN to get hired, collect wages, and file fraudulent tax returns before you even know your data was compromised.
Workers’ comp data is a goldmine for this exact crime. It contains everything: your full legal name, SSN, employer history, date of birth, and physical address. CorVel processes claims across nearly every industry sector in the United States. A breach of their data is essentially a master key to employment fraud at scale.
“Employment identity theft victims often discover the crime at tax time — when the IRS rejects their return because someone else already filed using their SSN. By then, the damage to their credit profile is already done.” — Identity Theft Resource Center, 2026
Lena Health’s exposure adds a different dimension. Healthcare identity theft — where criminals use your insurance information to receive medical services or prescriptions — can result in fraudulent medical debt appearing on your credit report. You never got the treatment. You never incurred the debt. But the collection account shows up on your Experian, TransUnion, and Equifax files anyway, and with the CFPB defanged, getting it removed is harder than ever.
The credit impact most victims don’t see coming
Here’s what actually happens to your credit when SSN data from a breach gets weaponized. It doesn’t happen overnight — the fraud timeline typically unfolds over 6 to 18 months after a breach disclosure. That delay is by design. Criminals sit on stolen data and wait for the noise to die down before using it.
Phase 1 — Account takeover. Stolen SSNs get matched against data broker records to build a fuller profile. This gives fraudsters enough to attempt password resets on existing financial accounts or to pass identity verification checks at new lenders.
Phase 2 — New account fraud. New credit lines, utility accounts, and sometimes auto loans get opened in your name. These show up as hard inquiries first — which is your early warning signal if you’re monitoring.
Phase 3 — Derogatory reporting. When the fraudulent accounts go delinquent — which they always do, because the criminal has no intention of paying — the collections hit your credit file. A single fraudulent collection can drop a 720 score to the low 600s overnight.
Between January and April, criminals actively test stolen SSNs against tax systems. The IRS and state revenue departments process millions of returns, and fraudulent returns filed before yours lock your legitimate return out. Even if you’ve never interacted with CorVel or Lena Health directly, if your employer used CorVel for workers’ comp administration, your SSN is in their system.
What to do in the next 48 hours
This is not the time to wait for a notification letter. The 48-hour window after a breach disclosure is the highest-risk period — before criminals act but after the data is potentially in play. Here is the exact playbook:
- 1 Freeze your credit at all three bureaus immediately. Go to Experian.com, TransUnion.com, and Equifax.com and place a security freeze. Free, instant, and it prevents anyone from opening new accounts in your name. This is the single most effective step you can take right now. Also freeze at ChexSystems (banking) and LexisNexis (background checks).
- 2 Pull all three credit reports and look for hard inquiries. Go to AnnualCreditReport.com and pull your Experian, TransUnion, and Equifax files right now. Look for any hard inquiries from lenders you don’t recognize — these are your earliest warning of new account fraud attempts. Dispute anything unfamiliar under the FCRA immediately.
- 3 Place an IRS Identity Protection PIN on your tax account. If your SSN was in the CorVel breach, an IP PIN from the IRS prevents anyone else from filing a return using your number. Go to IRS.gov/ippin. Takes about 15 minutes. Completely blocks the employment identity theft / tax fraud pathway.
- 4 Monitor your credit report weekly for the next 90 days. A freeze stops new accounts but doesn’t protect existing ones. Set up alerts through each bureau for any changes to existing accounts, address updates, or new inquiry attempts. Weekly monitoring catches problems before they become full collections.
- 5 If fraudulent accounts appear, dispute under the FCRA with an identity theft affidavit. File an identity theft report at IdentityTheft.gov, get your FTC affidavit, then send it directly to the bureau with a dispute letter. Under FCRA Section 605B, fraudulent accounts must be blocked within 4 business days of receiving your documentation. The bureaus are dragging their feet on disputes right now — make every letter certified mail with return receipt.
| Threat Type | Risk Level | First Line of Defense |
|---|---|---|
| New account fraud | High | Credit freeze at all 3 bureaus + ChexSystems |
| Employment ID theft | High (tax season) | IRS IP PIN — do this today |
| Medical debt fraud | Elevated | Monitor credit file for unknown medical collections |
| Account takeover | Elevated | Update passwords + enable MFA on all financial accounts |
| Tax refund fraud | High (now) | File your tax return ASAP — the first return wins |
Why the CFPB gutting makes breach damage worse
Here’s the part of this story that doesn’t get enough attention. Two years ago, if fraudulent accounts appeared on your credit file after a breach, the CFPB had active enforcement authority to force the bureaus to investigate and resolve your dispute quickly. That enforcement capacity has been gutted since early 2025.
TransUnion’s dispute resolution rate in consumers’ favor has dropped to under 1%. Experian is not far behind. If fraudulent accounts appear on your file from this breach, you cannot count on the bureaus to fix them voluntarily. You’ll need to go straight to the legal track — FCRA dispute with an affidavit, certified mail, 30-day countdown clock, and if they don’t comply, a lawsuit.
This is why automated credit monitoring and dispute tracking matters more now than at any point in the last decade. You need a system that watches your file daily, flags anomalies the moment they appear, and generates compliant FCRA dispute letters before a problem becomes a three-year headache.
The NMD approach: don’t wait to be a victim
The credit system was already broken before yesterday’s breaches. The bureaus aren’t fixing errors. The CFPB isn’t enforcing. Lenders are tightening. And now fresh breach data is circulating from two new exposures on the same day.
What NMD Solutions builds is the infrastructure to stay ahead of this: automated monitoring that detects changes to your credit file in real time, dispute generation that puts your letters on the legal track from day one, identity theft response playbooks that you can execute immediately without spending $300 on a credit repair attorney, and business credit building that separates your EIN from your personal SSN so a breach of your personal data doesn’t take down your business credit too.
The breach already happened. What you do in the next 48 hours determines whether it becomes a 50-point score drop or a footnote you handled before it started.
Monitor your credit file. Dispute automatically. Stay ahead of the breach damage.
Our AI credit bot tracks your bureau activity, flags anomalies, generates FCRA dispute letters, and keeps you ahead of identity theft before it destroys your score. $29 flat. No subscription.