Full Report
The Healthcare Services Group (HSGI) is alerting more than 600,000 individuals that their personal information was exposed in a security breach last year. [...]
Analysis Summary
# Incident Report: HSGI Data Breach Affecting 624,000 Individuals
## Executive Summary
Healthcare Services Group (HSGI) experienced a data breach beginning in late September 2024, involving unauthorized access to their network that lasted several days. The subsequent investigation confirmed data exfiltration, impacting over 624,000 individuals. HSGI began notifying affected parties in August 2025 and has offered credit monitoring services as a remediation step.
## Incident Details
- **Discovery Date:** October 7, 2024
- **Incident Date:** Began September 27, 2024 (Intrusion period noted as September 27, 2024, to October 3, 2024)
- **Affected Organization:** Healthcare Services Group (HSGI)
- **Sector:** Healthcare Services Provider (Support services to healthcare facilities)
- **Geography:** United States (Based on company description)
## Timeline of Events
### Initial Access
- **Date/Time:** On or around September 27, 2024
- **Vector:** Unauthorized access to the network (Specific initial vector not disclosed)
- **Details:** Intruders gained access and remained undetected until October 7, 2024.
### Lateral Movement
- **Details:** Attackers accessed and copied certain files between September 27, 2024, and October 3, 2024.
### Data Exfiltration/Impact
- **Details:** Data was exfiltrated from the systems accessed by the intruders. Compromised data included Full name, Social Security number, Driver’s license number, State identification number, Financial account information, and Account access credentials.
### Detection & Response
- **Detection:** Unauthorized access was detected on October 7, 2024.
- **Response Actions:** HSGI initiated an investigation, which took approximately ten months to review the involved files. Notifications began on August 25, 2025.
## Attack Methodology
- **Initial Access:** Unauthorized actor gained entry (Specific method unknown).
- **Persistence:** Maintained access from September 27 to October 3, 2024.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified, though access went undetected for 10 days.
- **Credential Access:** Potentially gained via access to files containing "Account access credentials."
- **Discovery:** Not specified, inferred via file access.
- **Lateral Movement:** Inferred via access to various files containing sensitive PII/Financial data.
- **Collection:** Copying of specific files containing sensitive information.
- **Exfiltration:** Data was successfully copied and removed from the systems.
- **Impact:** Exposure of PII, financial data, and credentials for 624,000 individuals.
## Impact Assessment
- **Financial:** Not quantified, but HSGI is a company with $1.7 billion in annual revenue.
- **Data Breach:** Personal data (Full Name, SSN, Driver's/State ID, Financial Account Info, Credentials) impacting approximately 624,000 individuals.
- **Operational:** Not explicitly detailed, but a disruption requiring a 10-month internal investigation.
- **Reputational:** Significant negative impact due to the scale of the breach and the sensitive nature of the exposed data in the critical healthcare sector.
## Indicators of Compromise
- **Network indicators:** None publicly specified (URLs/IPs required defanging, but none were present in the source text).
- **File indicators:** None publicly specified.
- **Behavioral indicators:** Unauthorized activity leading to data copying over a period of six days (Sept 27 - Oct 3).
## Response Actions
- **Containment measures:** Not detailed, but implied containment occurred after detection on October 7, 2024.
- **Eradication steps:** Not detailed.
- **Recovery actions:** Extensive review of involved files over ten months; notification to impacted parties in August 2025; offering 12 or 24-month credit monitoring/identity theft protection services.
## Lessons Learned
- **Key takeaways:** HSGI possessed highly sensitive personal and financial information that was targeted and successfully exfiltrated. Data handling security practices were insufficient to prevent a multi-day intrusion.
- **What could have been done better:** The time lag between the intrusion ending (Oct 3) and formal notification (Aug 25 the following year) suggests delays in full scope identification or internal remediation processes.
## Recommendations
- **Prevention measures for similar incidents:** Review and enhance network monitoring to detect unauthorized data access and exfiltration in real-time rather than weeks/months later. Implement stronger access controls, especially around files containing SSN and financial data. Ensure comprehensive encryption of sensitive data at rest.