Healthcare Services Group Confirms 624,500 Individuals Affected by Data Breach
Healthcare Services Group, Inc. (HSG), a Bensalem, PA-based provider of environmental, dining, and nutritional support services to healthcare facilities, has recently notified the Maine Attorney General about a major data breach involving unauthorized access to systems containing the personal and protected health information of 624,496 individuals, including 3,871 Maine residents.
HCSG provides its services to over 3,000 healthcare facilities in 48 U.S. states and employs more than 45,000 individuals. HSG first disclosed the security incident on October 16, 2024, in a FORM 8-K filing with the U.S. Securities and Exchange Commission (SEC), explaining that a cybersecurity incident was identified on or around October 9, 2024, when unauthorized activity was observed within some of its systems.
HSG initiated its cybersecurity incident response process, and an investigation was launched to determine the cause of the activity, with assistance provided by third-party cybersecurity specialists. At the time, the full nature of the incident was unknown, although it was not expected to have a material impact on its financial condition or the results of operations. The breach report indicates initial access to its network occurred on September 27, 2024, and the intrusion was detected on or around October 7, 2024.
HSG confirmed that an unauthorized third party accessed its network between September 27, 2024, and October 3, 2024, and during that time, files were exfiltrated. HSG has been reviewing the affected files and determined on June 3, 2025, that personal and protected health information was stolen, including names, dates of birth, Social Security numbers, financial account information, driver’s license numbers, and state identification numbers.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Notification letters started to be mailed to the affected individuals on August 25, 2025, and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. At the time of issuing the notification letters, Healthcare Services Group was unaware of any misuse of the stolen data; however, the affected individuals have been advised to remain vigilant against identity theft and fraud and should monitor their accounts and credit reports for suspicious activity.
This post will be updated when further information becomes available.
