Healthcare Services Group, Inc. (HCSG), a provider of housekeeping, dining, and laundry services for the healthcare industry, has disclosed a significant data breach affecting 624,496 individuals.
According to a regulatory filing with the Maine Attorney General's Office, the breach was caused by an external hacking incident that occurred on September 27, 2024, but went undetected until October 7, 2024.
Matthew Barndt, the company's Vice President of Risk Management, confirmed that sensitive personal information was compromised. The exposed data includes names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, and full access credentials, all high-value targets for identity theft and financial fraud. Written notification letters were sent to affected individuals beginning August 25, 2025, and identity protection services are being offered as a remediation measure.
The company became aware of suspicious activity in its IT environment and launched an investigation with assistance from third-party forensic experts. This investigation determined that unauthorized access to certain systems had occurred and that files containing personal information were exfiltrated by an external threat actor. While there is no evidence that the stolen information has been misused as of the time of notification, the nature of the data and the long dwell time between breach and discovery raise significant concerns.
Healthcare Services Group, headquartered in Bensalem, Pennsylvania, serves thousands of clients in the post-acute care sector, including nursing homes and long-term care facilities. The company provides essential non-clinical services in environments where patient safety and regulatory compliance are critical. A breach of this magnitude, particularly involving personal data of employees or clients tied to the healthcare ecosystem, could lead to downstream privacy risks or compliance implications under HIPAA and other frameworks.
HCSG is offering 12 months of free credit monitoring and identity restoration services through Kroll. Impacted individuals are encouraged to remain vigilant, monitor financial accounts, and place fraud alerts or security freezes with major credit bureaus. In the event of suspected identity theft, individuals are advised to report it to the Federal Trade Commission through the identitytheft.gov portal.
HCSG has not disclosed specific details about the intrusion vector or the threat actor responsible, and CyberInsider couldn't find any relevant disclosures on ransomware sites.
Leave a Reply