Cybercriminals hit third-party partner for data on 600K patients

Healthcare entities keep getting walloped with headline-making data breaches exposing the personal information of huge numbers of patients at a time – and increasingly, the targets aren’t just provider groups themselves.  

Cybercriminals are learning that third-party service partners and business associates are also ripe for the picking, and can lead to rich harvests of personal information to be sold on the black market. 

The latest organization to join this unenviable club is Healthcare Services Group, Inc. (HSGI), which providers environmental, dining, and nutrition services to long-term care facilities and nursing homes across the country. 

What happened?

The Pennsylvania-based company suffered a ransomware attack in late September 2024 that was discovered on October 7, 2024. According to filings with state regulators, the attack exposed the personal information of more than 620,000 patients, reports ClaimDepot.com.  

The confirmed data accessed may include names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, and full access credentials. 

 Digital news and research site Comparitech reports that a cybercrime group called Underground claimed responsibility for the attack later in October, and posted 1.1 terabytes of information for sale on their website.   

While unverified by HSGI, the listing by Underground says that the information also includes contracts and financial documents, stockholder documentation, invoices, proposals, payroll data, and employee information such as passports, tax documents, and performance improvement plans. 

HSGI filed its breach notifications with relevant state regulators and sent its notifications to affected individuals in late August, close to a year after the original breach was uncovered.  The company attributed the large time gap to its extensive review of the files to determine whether sensitive information was exposed, and which individuals may be at risk. The company is offering standard identity monitoring services and states that it is reexamining its privacy and security protocols to prevent future incidents. 

The rising risk of third-party data breaches

This event is just the latest in a string of large breaches that have scooped up patient information without hitting healthcare providers directly, the most notorious of which is the Change Healthcare breach of 2024. The CrowdStrike incident of the same year also took a heavy toll on the healthcare industry, with some sources estimating $2 billion in losses for the healthcare industry and measurable disruptions in care for hundreds of hospitals, although CrowdStrike itself disputes the latter. 

Following those, 5.4 million individuals had their data exposed by an attack on Episource, a coding and risk adjustment services provider, which was hit in early 2025. 

A recent report by cybersecurity firm Black Kite indicates that healthcare is the industry most affected by third-party data breaches, with 41.2% of all third-party breaches having an impact on care providers, likely due to the high value of – and relatively easy access to – personal healthcare information. 

Yet healthcare organizations are woefully underprepared to combat these growing threats. A separate report by Imprivata, another cybersecurity services provider, found that 64% of healthcare providers cited lack of resources as a primary barrier to third-party risk reduction, and only 43% of healthcare organizations even evaluate third-party security practices before granting access to sensitive data. Most (66%) rely on the basics of removing access credentials as their primary security measure, suggesting a highly reactive, and often insufficient, approach to third-party data management. 

How to protect sensitive data in an interconnected ecosystem

While data breaches are largely a matter of “when,” not “if,” there are some steps that healthcare provider groups can take to safeguard their patients’ data despite living in an increasingly enmeshed data landscape. 

Nonprofit research organization ECRI suggests taking a coordinated and strategic approach to assessing and monitoring third-party threats by conducting thorough internal and partner-facing risk reviews, building redundancies into their systems, especially those that touch third-party entities, and regularly testing response plans and recovery procedures in case a bad actor slips through. 

Organizations can also take advantage of industry resources, such as CISA’s new tool to help enhance protections from third-party risks. The online questionnaire helps organizations understand their unique vulnerabilities and develop an action plan for mitigating risks across the information supply chain.  

This type of assessment could help organizations address some of the fundamental risks involved in working with third-party vendors and service providers. By strengthening their processes around assessing both internal vulnerabilities and the security protocols of their partners, healthcare organizations can hopefully avoid the worst impacts of a third-party cyberattack and protect the sensitive information of their patients. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at [email protected].