Healthcare Services Group Inc. (HSGI), a Pennsylvania-based provider of support services to healthcare facilities, has disclosed a data breach affecting over 600,000 individuals. The company discovered unauthorized access to its systems on October 7, 2024, but later determined that attackers had infiltrated its network as early as September 27. During this time, malicious actors accessed and exfiltrated sensitive data from HSGI’s systems.
According to the official notice, the attackers copied certain files between September 27 and October 3. HSGI initiated a comprehensive file review to identify impacted individuals and the nature of the data exposed—a process that spanned nearly ten months. Notifications were only sent out on August 25, 2025, drawing scrutiny over the extended delay in public disclosure.
The compromised data includes a range of personally identifiable information, which may vary by individual: names, Social Security numbers, driver’s license or state ID numbers, financial account information, and login credentials. Though HSGI reports no signs of active misuse, it is offering 12 or 24 months of credit monitoring and identity theft protection based on the data exposure level.
No ransomware group has claimed responsibility for the incident. As of now, the exact entry point remains undisclosed, and questions remain about how the attackers evaded detection for over a week and why the notification process took so long.
This incident highlights a recurring issue in cybersecurity: prolonged detection times and delayed breach disclosures. Organizations must tighten incident response protocols and improve transparency with affected parties. Swift containment is critical, but so is timely communication—both for regulatory compliance and public trust. Regular risk assessments, data classification, and breach preparedness drills should be core components of every enterprise security strategy.
