Full Report
On March 21, 2025, Fundamental Administrative Services, LLC (“Fundamental”), a Maryland-headquartered service provider to long-term care facilities, notified HHS of a breach involving unauthorized access to its network. At the time, they used a “500” placeholder for the number affected, but also posted a substitute notice on their website. This week, Fundamental issued a press... Source
Analysis Summary
# Incident Report: Unauthorized Access at Fundamental Administrative Services
## Executive Summary
Fundamental Administrative Services (FAS), a service provider for long-term care facilities, suffered a data breach involving unauthorized access to its network between October and January 2025. The breach exposed the sensitive personal and medical information of 56,325 patients across numerous facilities. FAS detected the intrusion in January 2025 and subsequently notified HHS, though the initial access occurred months prior.
## Incident Details
- **Discovery Date:** January 20, 2025 (when suspicious activity was first noticed)
- **Incident Date:** Unauthorized access occurred between October 27, 2024, and January 13, 2025.
- **Affected Organization:** Fundamental Administrative Services, LLC, reporting on behalf of covered entities (numerous long-term care facilities).
- **Sector:** Healthcare Services/Long-Term Care Support
- **Geography:** Maryland-headquartered (with services supporting facilities across various locations).
## Timeline of Events
### Initial Access
- **Date/Time:** On or around October 27, 2024.
- **Vector:** Unauthorized access to the network.
- **Details:** The exact initial vector is not specified in the report.
### Lateral Movement
- **Details:** The attack window remained open until January 13, 2025, indicating actors maintained unauthorized access and likely moved within the network during this period, although specific lateral movement techniques are not detailed.
### Data Exfiltration/Impact
- **Details:** Attackers accessed and potentially exfiltrated Protected Health Information (PHI) and Personally Identifiable Information (PII) for 56,325 patients. Affected data included names, SSNs, driver's licenses, financial account info, DOBs, medical treatment info, and health/Medicare insurance details.
### Detection & Response
- **Details:** Suspicious activity was first noticed on January 20, 2025. FAS initiated an internal review, which confirmed the unauthorized access period. FAS notified HHS of the breach and issued public notices to affected entities.
## Attack Methodology
- **Initial Access:** Unauthorized access (specific vector unknown).
- **Persistence:** Maintained unauthorized access for approximately 78 days (Oct 27, 2024 – Jan 13, 2025).
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Suggested by the long detection time (over 2 months without detection).
- **Credential Access:** Inferred by the confirmed access to highly sensitive data, likely involving credential theft or misuse.
- **Discovery:** Inferred reconnaissance activities during the access window.
- **Lateral Movement:** Inferred given the extended time frame to access and collect diverse patient data across associated facilities.
- **Collection:** Gathering of PII and PHI (names, SSNs, financial info, medical details).
- **Exfiltration:** Data theft occurred within the active unauthorized access window.
- **Impact:** Compromise of PII and PHI for over 56,000 patients.
## Impact Assessment
- **Financial:** Not disclosed, but likely involves regulatory fines, notification costs, and potential remediation costs.
- **Data Breach:** PII and PHI for 56,325 patients, including SSNs, financial account details, and health information.
- **Operational:** Minimal information on operational disruption, but the company was forced to issue public remediation notices.
- **Reputational:** Negative impact due to public disclosure involving sensitive patient data across numerous long-term care facilities.
## Indicators of Compromise
*(Note: The source article did not list specific IoCs; these must be assumed based on the type of breach.)*
- **Network indicators:** Unknown malicious C2 domains/IPs used for exfiltration or persistence (defanged: `example_c2_1[.]com`).
- **File indicators:** Unknown malware or tools used for access or data staging (e.g., unusual packed executables or scripts).
- **Behavioral indicators:** Unrecognized remote access sessions, large data staging or transfer events outside standard operational hours.
## Response Actions
- **Containment:** Not explicitly detailed, but containment would have been initiated upon detection in January 2025 to stop further unauthorized access.
- **Eradication:** Steps taken to remove actor presence from the network following the closure of the access window (Jan 13, 2025).
- **Recovery:** Notification of HHS, notification of affected covered entities, and issuance of public substitute notices to patients.
## Lessons Learned
- The investigation revealed a significant gap in continuous monitoring, as unauthorized activity persisted for over two months (October 27 – January 13) before any activity was flagged.
- Reliance on placeholder breach numbers ("500") initially suggests delayed or incomplete internal assessment processes following incident confirmation.
- The organization processes a very high volume of highly sensitive data (PHI/SSNs), requiring robust security controls commensurate with that risk level.
## Recommendations
- Implement 24/7 Security Information and Event Management (SIEM) monitoring with high-fidelity alerting thresholds, specifically prioritizing anomalies related to data access and large file transfers.
- Review and enforce least privilege access across all administrative and service environments to segment network areas.
- Conduct mandatory, recurring penetration testing that specifically targets techniques known for long-term persistence and data staging/exfiltration.
- Establish clearer internal protocols for rapidly triaging and quantifying the scale of a confirmed intrusion immediately upon discovery.