Healthcare Services Group discloses 'cybersecurity incident' in SEC filing
Laundry and dining provider still investigating cause and scope
Healthcare Services Group (HSG) has disclosed "unauthorized activity within some of its systems" in a Securities and Exchange Commission (SEC) filing.
The company, which provides housekeeping, laundry, and food and nutrition services to thousands of US healthcare facilities, said in a Form 8-K filing on Wednesday that it suffered a "cybersecurity incident" on October 9.
"The Company immediately activated its Cybersecurity Incident Response Process to investigate such activity with the assistance of leading third-party cybersecurity experts," the filing states. "The Company has also notified law enforcement authorities... [and] will continue to monitor the situation and take appropriate actions consistent with its response protocols."
Many of the usual details The Reg would expect to see from disclosures of this type aren't included in the filing, which is in part due to HSG's admission that it doesn't have all the facts of the case yet. The full nature of the incident and its scope are still being determined.
Regardless, NASDAQ-listed HSG says it does not anticipate the incident having a material impact on its finances or business operations.
HSG operates in 48 states, employs around 35,000 people, and serves around 5,000 accounts, with a large concentration of its business located in the Midwest and East Coast, close to its Pennsylvania headquarters.
- US contractor pays $300K to settle accusation it didn't properly look after Medicare users' data
- US healthcare org admits up to 400,000 people's personal info was snatched
- Healthcare attacks spread beyond US – just ask India's Star Health
- Ransomware gang Trinity joins pile of scumbags targeting healthcare
The attack at HSG is the latest of many to hit US healthcare organizations this year. Just this week, yet another company adjacent to the healthcare industry announced a sizeable intrusion potentially affecting 400,000 people.
Like HSG, Gryphon Healthcare is not a healthcare organization, but provides essential services to facilities like revenue cycle and billing management tools. It said personal patient data such as names, diagnoses, medical record numbers, social security numbers, and more were stolen by cybercriminals.
Lawyers quickly spun into action, appealing for class representatives to join a potential class-action lawsuit against Gryphon.
Similar cases were made against Change Healthcare earlier this year thanks to its mega breach at the hands of ALPHV/BlackCat. It faces at least six class-action cases as a result. ®