Texas-based care provider HMG Healthcare has confirmed that hackers accessed the personal data of residents and employees, but says it has been unable to determine what types of data were stolen.
HMG Healthcare is headquartered in The Woodlands, Texas, and provides a range of services, including memory care, rehabilitation, and assisted living. HMG’s website says it employs more than 4,100 people and serves approximately 3,500 patients, generating more than $150 million in annual revenues.
In a notice published on its website, HMG chief executive Derek Prince confirmed that hackers in August accessed a server storing “unencrypted files” containing sensitive information belonging to patients, employees, and their dependents. HMG said it learned of the breach months later in November.
HMG said the stolen information “likely contained” personal information, including names, dates of birth, contact information, Social Security numbers, and records related to employment; as well as medical records, general health information, and information regarding medical treatment, according to the notice. HMG also said that the notice has been published in order to inform “individuals for whom HMG has insufficient or out-of-date contact information” about the incident, suggesting historical patient data may have been impacted.
However, HMG admits that while it attempted to identify the specific data that was compromised, “we have now determined that such identification is not feasible.”
It’s not yet known why HMG couldn’t determine the types of data stolen, and a company spokesperson did not respond to TechCrunch’s questions.
HMG did not say in its notice how many individuals are thought to be affected by the breach. However, a filing with the Texas attorney general submitted by HMG on Monday confirms that approximately 75,000 Texans were impacted by the breach; though it’s not known how many non-state residents are affected.
HMG did not describe the nature of the cyberattack, but noted that “HMG worked diligently to ensure that the stolen files were not further shared by the hackers to other sources.” It’s not uncommon for corporate victims of ransomware attacks to pay hackers a ransom demand in an effort to limit the spread of stolen data, despite having no guarantees that the hackers would keep their end of the deal.
TechCrunch asked HMG if it had paid a ransom to the hackers.
Per HMG’s data breach notice, the healthcare provider also has a number of facilities in Kansas — including Tanglewood Health and Rehabilitation, and Smoky Hill Health and Rehabilitation — that were affected by the data breach.
HMG CEO Prince noted that the organization has “increased its data security protocols” in light of the incident, but did not specify what additional security steps were taken.