On January 13, 2025, Fundamental Administrative Services, LLC, a healthcare management services company based in Sparks, Maryland, detected suspicious network activity within its systems that support more than 85 skilled nursing facilities and rehabilitation centers across Indiana, Maryland, Nevada, New Mexico, South Carolina, Texas, and Wisconsin.
What happened
A forensic investigation revealed that the company’s network had been subject to unauthorized access for approximately two and a half months, from October 27, 2024, through January 13, 2025, during which files containing HIPAA-protected data were exfiltrated. The review of compromised files confirmed exposure of sensitive information belonging to 56,235 individuals.
Fundamental Administrative Services initially reported the incident to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) with a placeholder figure of 500 affected individuals, but later updated the report once the scope was confirmed. The company has since taken action to secure its systems, launched a comprehensive review of its policies, procedures, and data access practices, and notified the 87 affected skilled nursing and rehabilitation facilities.
Going deeper
According to DataBreaches.net the organizations affected include:
- Alamo Heights Health and Rehabilitation Center
- Allegany Health Nursing and Rehabilitation
- BellTower Health & Rehabilitation Center
- Bennettsville Health & Rehabilitation Center
- Berlin Nursing and Rehabilitation Center
- Bremond Nursing and Rehabilitation Center
- Bridgecrest Rehabilitation Suites
- Brownfield Rehabilitation and Care Center
- Calhoun Convalescent Center
- Canton Oaks
- Casa Arena Blanca Nursing Center
- Casa Maria Health Care Center and Pecos Valley Rehabilitation Suites
- Cedar Pointe Health and Wellness Suites
- Central Desert Behavioral Health Hospital
- College Park Rehabilitation Center
- Corinth Rehabilitation Suites on the Parkway
- Courtyards at Pasadena
- Creekside Terrace Rehabilitation
- Crimson Heights Health & Wellness ALF
- Crimson Heights Health and Wellness
- Crosbyton Nursing and Rehabilitation Center
- Devlin Manor Nursing and Rehabilitation Center
- Edgewood Rehabilitation and Care Center
- Fairfield Nursing and Rehabilitation Center
- Falcon Ridge Rehabilitation
- Forest Haven Nursing and Rehabilitation Center
- Founders Plaza Nursing & Rehab
- Fruitvale Healthcare Center
- Green Valley Health and Wellness Suites
- Hallmark Healthcare Center
- Harmon Hospital
- Hearthstone of Northern Nevada
- Hillside Heights Rehabilitation Suites
- Horizon Health & Rehab Center
- Horizon Specialty Hospital of Henderson
- Horizon Specialty Hospital of Las Vegas
- Julia Manor Nursing and Rehabilitation Center
- Kirkland Court Health and Rehabilitation Center
- Lake Emory Post Acute Care
- Lancaster Health and Rehabilitation
- Las Brisas Rehabilitation and Wellness Suites
- Las Ventanas de Socorro
- Los Arcos del Norte Care Center
- Magnolia Manor of Greenville
- Magnolia Manor of Greenwood
- Magnolia Manor of Inman
- Magnolia Manor of Rock Hill
- Magnolia Manor of Spartanburg
- Meadowbrook Care Center
- Midlands Behavioral Health Hospital
- Midlands Health & Rehabilitation Center
- Mira Vista Court
- Monarch Pavilion Rehabilitation Suites
- Moran Nursing and Rehabilitation Center
- North Las Vegas Care Center
- Northampton Manor Nursing and Rehabilitation Center
- Oakbrook Health and Rehabilitation Center
- Oakland Nursing and Rehabilitation Center
- Physical Rehabilitation and Wellness Center of Spartanburg
- Rehab Center of Cheraw
- Restore Health Rehabilitation Center
- Retama Manor Nursing Center/Victoria South
- Riverside Health and Rehab
- San Gabriel Rehabilitation and Care Center
- Sandy Lake Rehabilitation and Care Center
- Sedona Trace Health and Wellness
- Sierra Ridge Health and Wellness Suites
- Solidago Health and Rehabilitation
- Southpointe Healthcare and Rehabilitation
- Spanish Hills Wellness Suites
- Spanish Trails Rehabilitation Suites
- St. George Healthcare Center
- Sterling Oaks Rehabilitation
- Sunset Villa Care Center
- Terra Bella Health and Wellness Suites
- The Brazos of Waco
- The Casitas at Las Brisas ALF
- The Hillcrest of North Dallas
- The Pavilion at Creekwood
- The Pavilion at Glacier Valley
- The Terrace at Denison
- The Village at Richardson
- Valley Falls Terrace
- Villa Haven Health and Rehabilitation Center
- Villa Rosa Nursing and Rehabilitation
- Willow Springs Health & Rehabilitation Center
- Woodlands Place Rehabilitation Suites
What was said
The Databreaches.net post on the breach notes, “Fundamental first became aware of suspicious activity on its network on January 20, 2025. Their investigation revealed that there was unauthorized access between October 27, 2024 and January 13, 2025. They offer no explanation for why it was not detected in October or earlier than months later.”
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is a Business Associate under HIPAA?
A business associate is a person or entity that performs functions or services for a HIPAA-covered entity (like a hospital, nursing home, or insurer) that involve the use or disclosure of protected health information (PHI).
How are business associates different from covered entities?
Covered entities are healthcare providers, health plans, and healthcare clearinghouses that directly collect or manage PHI. Business associates, on the other hand, support covered entities by providing services such as billing, IT support and claims processing.
Are business associates subject to penalties for noncompliance?
Yes. The HHS Office for Civil Rights (OCR) can impose civil monetary penalties directly on Business Associates if they fail to safeguard PHI or do not comply with HIPAA rules.