top of page
Search

Healthcare Services Group Breach Exposes Data of More Than 624,000 People

Healthcare Services Group, Inc. (HSG), a Pennsylvania-based contractor that provides environmental, dining, and nutritional services to hospitals and long-term care facilities, has confirmed a massive data breach impacting more than 624,000 individuals.


The incident, disclosed to the Maine Attorney General last week, highlights a growing problem in the healthcare supply chain: third-party providers that don’t deliver direct patient care but still hold vast volumes of protected health information (PHI).


How the Breach Unfolded


HSG first spotted suspicious activity on October 9, 2024, and disclosed the incident days later in an SEC filing. According to investigators, attackers gained initial access on September 27, remaining undetected for nearly two weeks before discovery. The company launched its incident response plan with outside forensics teams, but it wasn’t until June 2025 that HSG confirmed PHI and personal data may have been exfiltrated.


Notification letters began rolling out on August 25, offering free credit monitoring and identity theft protection. Yet, a full public notice remains unavailable: a broken link on Maine’s breach portal and the absence of an advisory on HSG’s own website mean the nature of the compromised data is still unknown.


The Broader Healthcare Supply Chain Problem


Rebecca Moody, head of data research at Comparitech, says the HSG breach is part of a larger trend targeting healthcare service providers.


"This attack on Healthcare Services Group, Inc. joins a number of others on businesses that operate within the healthcare industry but don't provide direct care (e.g. housekeeping services, medical billing providers, and healthcare technology companies). Organizations like this are an attractive target for hackers due to their access to large data sets, often from a vast range of healthcare companies with highly sensitive data."

Comparitech’s tracking data shows the scale of the threat is accelerating rapidly.


"Since we started recording ransomware attacks in 2018, attacks on companies like HSG have increased--and so has the amount of data breached in these attacks. For example, in 2023, we saw 47 confirmed attacks with 26.1 million records breached, this rose to 51 confirmed attacks in 2024 with over 209.2 million records breached."

The breach ranks as the fifth-largest worldwide attack against healthcare service providers in 2024, and the 20th-largest since 2018, according to Comparitech. One group in particular stands out:


"Underground hasn't claimed a lot of victims throughout its existence (it first started adding victims to its site in May 2024) but it does tend to steal a large amount of data. On average, it alleges to have stolen 517 GB per attack, putting this attack on the Healthcare Services Group, Inc. well above average."

Why It Matters


With over 3,000 client facilities across 48 states, HSG sits at the center of a sprawling healthcare ecosystem. While it doesn’t treat patients, it still manages data flows tied to staffing, operations, and patient services—information often just as sensitive as medical charts.


For threat actors, that makes companies like HSG an irresistible target. And for patients and residents of the facilities it serves, it underscores a harsh reality: their personal health information can be exposed even when the attack hits a contractor they’ve never heard of.

bottom of page