Unencrypted patient medical records and other personal data stolen from US healthcare firm

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

HMG Healthcare, a premier Texas healthcare service provider, suffered a cyberattack last summer that resulted in the theft of sensitive customer data, leading to the possible risk of identity theft and other scams. 

The company confirmed the news in a notice published on its website signed by Chief Executive Officer & Managing Partner, Derek Prince which states it suffered a data breach in August 2023, but only became aware of it in November. 

During the attack, hackers stole unencrypted customer data sitting on the company’s servers, including names, dates of birth, contact information, general health information, information regarding medical treatment, social security numbers and/or employment records.

Who are the attackers?

The company tried to identify the specific data that was compromised, but later concluded that “such identification is not feasible”.

The breach was “fully” mitigated, and the hackers were ousted from the company’s endpoints, the letter confirmed. 

Unfortunately, there are many details missing from the breach notification letter. We reached out to HMG with more questions, and will update the article if we hear back from them. 

At press time, there was no information on who the attackers are, or whether or not this was a ransomware attack. Usually, hackers that steal data also encrypt the victim’s systems and demand payment in cryptocurrency in exchange for the decryption key. Also, they demand money not to release the stolen data on the internet. 

We also don’t know how many people were affected by the breach. According to the HMG website, the company has roughly 3,500 patients and 4,100 employees. If the hackers stole sensitive data of both current and former employees and customers, the number of affected individuals could be counted in tens of thousands, if not hundreds.

Finally, we asked HMG to clarify how the threat actors managed to breach the endpoints, if there were any malware, or social engineering involved. We also wanted to know if the company is planning on offering free identity and credit monitoring services to affected individuals. The type of data that was stolen is usually used in phishing and identity theft attacks. 

“While we believe that the breach has been mitigated, you can take steps to protect yourself or loved one by monitoring account statements, explanations of benefits, and credit bureau reports closely. You may also review the Additional Information provided below as a resource,” Prince’s letter concludes. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.