Healthcare Services Group, Inc. Data Breach: 624,500 Patients and Employees Impacted Across 48 States

Posted on
healthcare services group data breach

Woods Lonergan PLLC is a nationally recognized complex commercial and civil litigation firm that represents clients in select data breach class actions nationwide. Our attorneys have a proven record of holding national corporations, educational institutions, and technology vendors accountable when failures in cybersecurity expose the sensitive personal, financial, and educational information of consumers and businesses.

Healthcare Services Group, Inc. (HCSG), headquartered in Bensalem, Pennsylvania, confirmed in August 2025 that a cybersecurity breach exposed the personal and health information of 624,496 individuals across the United States.

(HCSG) is a publicly traded company on the NASDAQ, providing environmental, dining, and nutritional support services to more than 3,000 healthcare facilities in 48 states. The company employs over 35,000 people nationwide, making it one of the largest service providers to healthcare institutions in the country.

What You Should Do If You Receive a Healthcare Services Group Data Breach Letter

If you received a data breach notification letter from HSG or suspicious-looking emails impersonating the company, your personal data may already be at risk.

Call Our Data Breach Lawyers 24/7 at (332) 378-0376 or email loganlowe@woodslaw.com for a free and confidential consultation. Woods Lonergan takes no fees unless we win.

Our Data Breach Litigation Team is committed to ensuring victims of the Farmers Insurance Data Breach receive the justice they deserve.

Who Was Impacted by the Healthcare Services Group Data Breach?

The Maine Attorney General confirmed that 624,496 individuals were affected, including 3,871 Maine residents. Impacted parties include:

  • Patients of healthcare facilities serviced by HSG — exposed medical information, health insurance records, and PHI
  • Employees of HSG — payroll, tax, and HR data were confirmed stolen
  • Potential facility staff/vendors connected to HSG systems

The compromised data includes:

  • Names
  • Social Security numbers
  • Government-issued IDs (driver’s license, passport, state ID)
  • Bank account numbers
  • Credit/debit card details
  • Health insurance and medical information
  • Employee payroll, tax, and stockholder records

As reported: “The compromised data…includes names, Social Security numbers, driver’s license numbers, state IDs, financial account details, and credentials.”SecurityWeek

How Did the Healthcare Services Group Data Breach Happen?

  • Initial Access: September 27, 2024
  • Detection: October 9, 2024
  • Disclosure: SEC Form 8-K filed October 16, 2024
  • Final Determination of Affected Data: June 3, 2025
  • Notification Letters Sent: Beginning August 25, 2025

The Underground ransomware gang has claimed responsibility, stating it stole 1.1 TB of data, including confidential legal and financial records, stockholder documentation, payroll, and employee files.

“Underground says it stole confidential legal and financial documents, employees’ Social Security numbers, stockholder documentation, tax documents, invoices, payroll, and other employee info.” SecurityWeek

If Hackers Stole Your Data in the HSG Breach

If your information was exposed in the HSG breach, hackers may attempt to use it for fraud, identity theft, or phishing. Even if you have not yet noticed unusual activity, your Social Security number, financial records, or medical details may already be circulating on the dark web.

Call Woods Lonergan immediately at (332) 378-0376 or email loganlowe@woodslaw.com. Our consultations are free, and we only get paid if we win compensation for you.

Our Data Breach Litigation Team is committed to ensuring victims of the Farmers Insurance Data Breach receive the justice they deserve.

Why the Healthcare Services Group Data Breach Matters

The HSG data breach is serious due to its scope, the delay in notification, and the sensitivity of the information stolen.

The stolen information can be weaponized in multiple ways:

  • Phishing and impersonation attacks targeting patients and employees via email, text, or phone
  • Identity theft using dates of birth, driver’s license numbers, and Social Security numbers
  • Fraudulent credit applications or account takeovers with stolen bank and card details
  • Healthcare data misuse for insurance fraud or resale on the dark web
  • Employee tax and payroll exploitation leading to IRS fraud or targeted scams

As HIPAA Journal reported: “Healthcare Services Group has recently notified the Maine Attorney General about a major data breach involving unauthorized access to systems containing the personal and protected health information of 624,496 individuals.”

Potential Legal Issues in the HSG Data Breach

Woods Lonergan is investigating several legal claims on behalf of affected individuals, including:

  • HIPAA Violations — failure to protect PHI
  • Negligence — inadequate monitoring, vendor management, and safeguards
  • Failure to Notify Timely — breach occurred in Sept. 2024; notice mailed nearly one year later
  • Breach of Implied Contract — patients and employees entrusted data expecting secure handling
  • Unjust Enrichment — HSG benefited from storing and using data without providing proper protection

About Woods Lonergan PLLC

Woods Lonergan PLLC is a nationally recognized firm specializing in complex civil litigation, including class action, data privacy, and cybersecurity matters. We have a proven track record of successfully holding corporations accountable for data breaches and protecting the rights of consumers. Our firm is currently representing plaintiffs in open litigation for numerous significant data breaches in 2025, including cases involving Powerschool, Ahold Delhaize, Aflac Insurance, Allianz Insurance, Johnson Controls, Community Health Center, Columbia University, DISA Global Solutions, and New Haven Health. Notably, in 2025, Woods Lonergan settled the 23andMe Data Breach Lawsuit for $30 Million in the Northern District of California and reached a Multi-Million Dollar Settlement in the Sunflower Medical Group data breach case in the U.S. District Court for the District of Kansas.

Our Data Breach Litigation Team is committed to ensuring victims of the Healthcare Services Group Data Breach receive the justice they deserve.

Contact Our Lawyers if You Were Impacted by the HSG Data Breach

If you received a data breach letter from Healthcare Services Group or suspect your information was stolen, don’t wait. Hackers often use stolen data long before companies disclose breaches.

Call Woods Lonergan 24/7 at (332) 378-0376 or email loganlowe@woodslaw.com to learn your legal options. We only get paid if we win compensation for you.

FAQs About the Healthcare Services Group Data Breach

Who was affected by the HSG data breach?

624,496 individuals across 48 states, including patients whose medical data was exposed and HSG employees whose payroll and HR information was stolen.

What personal data was stolen in the HSG breach?

Names, Social Security numbers, driver’s license and passport details, financial account information, credit/debit card numbers, health insurance and medical info, payroll/tax records, and stockholder data.

How long did hackers have access to HSG’s systems?

Hackers accessed systems from September 27, 2024, until October 9, 2024, when the breach was detected.

What services does HSG provide?

HSG provides environmental services (housekeeping, laundry, floor care, infection prevention), dining services (menu development, dietary compliance, safe meal preparation), and nutrition services (personalized meals, clinical expertise, patient-centered care).

How will I know if my information was exposed in the HSG breach?

Notification letters began mailing on August 25, 2025. If you receive a letter, your information was exposed. In some cases, phishing emails may be the first sign.

Can I join a lawsuit over the HSG data breach?

Yes. If your data was exposed and you suffered harm — such as identity theft, fraud, or phishing attempts — you may qualify as a named plaintiff or class member.

What damages could victims recover?

Compensation may include reimbursement for fraud losses, costs of credit monitoring, statutory damages under state and federal law, and recovery for time spent repairing financial and medical records.

Sources

About the Author
Lawrence R. Lonergan serves as a Partner with the firm and has practiced corporate, commercial, securities, and real estate law in New York since 1992, and in New Jersey since 2007. Larry has successfully litigated complex matters in state and federal courts in New York and New Jersey throughout his career. Larry is a business-minded lawyer with substantial transactional experience in corporate, commercial, and real estate deals. His clients include publicly traded companies, developers, and pharmaceutical and technology companies. If you have any questions regarding this blog, book a consultation with Lawrence Lonergan.
Disclaimer: The information in this article and blog post (“post”) is provided for informational purposes only, and may not reflect the current law(s) in every jurisdiction. No information contained in this post should be construed as legal advice from Woods Lonergan PLLC or the individual author(s), nor is it intended to be a substitute for legal counsel on any subject matter. Nothing herein shall be construed to create an attorney-client relationship with Woods Lonergan PLLC. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this Post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from an attorney licensed in the recipient’s jurisdiction. This post is attorney advertising.
Attorney Advertising | Disclaimer | Privacy Policy
Website developed in accordance with Web Content Accessibility Guidelines 2.1.
If you encounter any issues while using this site, please contact us: 212.684.2500