Healthcare Services Group, Inc. (HSGI), a prominent provider of support services to over 3,000 healthcare facilities, has confirmed a significant data breach impacting 624,496 individuals1. The security incident, attributed to the ransomware group Underground, involved unauthorized access and data exfiltration from the company’s network between September 27 and October 3, 20244. The breach was detected on October 7, 2024, but the full scope of the compromised data was not discovered until June 3, 2025, with formal notifications beginning on August 25, 20252. The exfiltrated data includes a wide array of sensitive personal, financial, and medical information, making this one of the largest breaches in the non-direct care healthcare sector for 20243.
Incident Timeline and Technical Details
The attack lifecycle followed a pattern consistent with modern double-extortion ransomware operations. Initial access was gained between September 27 and October 3, 2024. HSGI’s security team detected anomalous activity on October 7, 2024, prompting an investigation. The threat actors, identified as the Underground group, publicly claimed responsibility for the attack on October 25, 2024, stating they had exfiltrated 1.1 terabytes of data4. Despite this early claim, HSGI’s internal forensic review did not confirm the full extent of the data compromise until June 3, 2025, nearly ten months after the initial intrusion. This significant delay between intrusion, discovery, and full comprehension of the impact is a critical point for security teams to analyze in their own incident response planning.
Compromised Data and Threat Actor Profile
The data types exposed vary per individual but constitute a severe privacy risk. The stolen information includes full names, Social Security Numbers (SSNs), driver’s license and state identification numbers, passport numbers, financial account information, account access credentials, dates of birth, medical information, and health insurance details3. Underground additionally claimed to have taken confidential legal and financial documents, stockholder documentation, tax documents, invoices, and payroll data4. The group Underground is a ransomware operation active since mid-2023, known for its double-extortion tactics. They primarily target the construction and manufacturing sectors, with this attack on a healthcare services provider representing a potential shift in their targeting strategy4.
Corporate Response and Legal Repercussions
In its SEC FORM 8-K filing on October 16, 2024, HSGI stated that the incident did not disrupt its business operations and was not expected to have a material financial impact2. As a remedial measure, the company is offering 12 or 24 months of complimentary credit monitoring and identity theft protection services through Experian, with the duration depending on the specific type of data exposed per individual. The breach has triggered multiple investigations by law firms, including Murphy Law Firm, Milberg Coleman Bryson Phillips Grossman, LLC, Srourian Law Firm, and Edelson Lechtzin LLP, exploring potential class action lawsuits6, 7. These legal actions allege negligence due to a poorly secured network.
Broader Context and Defensive Recommendations
This breach ranks as the fourth largest in the non-direct care healthcare sector for 2024. The sector saw 30 attacks that year, compromising over 196 million records, primarily due to the Change Healthcare breach4. For security professionals, this incident underscores the critical need for robust monitoring of data egress points and accelerated incident response and forensic capabilities to reduce the time between intrusion and full impact assessment. Defensive strategies should focus on segmenting networks that house sensitive personal identifiable information (PII) and protected health information (PHI) from broader corporate networks, implementing strict access controls, and deploying advanced threat detection systems capable of identifying data exfiltration patterns.
The Healthcare Services Group breach serves as a stark reminder of the persistent threat ransomware groups pose to third-party vendors in critical infrastructure supply chains. While the direct financial impact on HSGI may be limited, the long-term consequences for the affected individuals and the company’s reputation are substantial. Security teams should use this incident to review their own security postures, particularly focusing on data classification, network segmentation, and incident response readiness to better detect and respond to similar threats.
