A Pennsylvania-based healthcare services provider has confirmed that hackers accessed and stole personal and health data from hundreds of thousands of individuals across the US.
What happened
Healthcare Services Group, Inc. (HSG) reported a data breach that exposed the personal and protected health information of 624,496 individuals. The Bensalem-based company provides environmental, dining, and nutritional services to over 3,000 healthcare facilities across 48 states.
The incident was first disclosed in an SEC filing on October 16, 2024, shortly after unauthorized activity was detected within its systems. According to the breach timeline, attackers gained access on September 27, 2024, and remained undetected until October 7, with exfiltration occurring through October 3.
Going deeper
HSG worked with third-party cybersecurity experts to investigate the breach and review the affected data. It wasn’t until June 3, 2025, that the company confirmed the compromised files contained sensitive personal and health-related information. The data included full names, birth dates, Social Security numbers, financial account details, and government-issued identification numbers.
Notification letters were sent to affected individuals starting August 25, 2025. HSG is offering free credit monitoring and identity theft protection services. While there’s currently no evidence of misuse, the company has advised individuals to remain alert for possible fraud or identity theft attempts.
What was said
According to BleepingComputer, the organization has “an annual revenue of $1.7 billion, and its services are of strategic importance to the safe and smooth functioning of thousands of healthcare facilities in the country.” The report noted that “no ransomware groups have claimed the attack on HSGI,” and the company advised people to “remain vigilant for phishing and scamming attempts and report suspicious activity on their banking accounts to the authorities.”
FAQs
Why would a support services provider like HSG have access to protected health information?
Although HSG doesn’t deliver clinical care, it operates within healthcare environments where staff and contractor data often overlap with patient systems for scheduling, compliance, or payroll purposes, requiring access to sensitive information.
Why did it take until June 2025 to confirm what data was stolen?
Data reviews after a breach can be time-consuming, especially when large volumes of files must be manually analyzed to determine if personal or health information was involved. HSG only confirmed the nature of the data after completing this analysis.
Is this incident considered a HIPAA violation?
If HSG is considered a business associate under HIPAA, then it would be subject to HIPAA’s privacy and security rules. An investigation by the Department of Health and Human Services may determine whether HIPAA violations occurred.
What is FORM 8-K, and why was it used in this case?
Form 8-K is a report that publicly traded companies must file with the SEC to disclose major events. HSG used it to disclose the breach because of its potential impact on operations or investor perception.
Farah Amod
