Texas-based care provider HMG Healthcare has confirmed that hackers accessed the personal data of residents and employees, but says it was unable to determine what types of data were stolen.
HMG Healthcare is headquartered in The Woodlands, Texas and provides a range of services including memory care, rehabilitation and assisted living. HMG’s website says it employs more than 4,100 people and serves around 3,500 patients, creating more than $150 million in annual revenue.
In a notice published on its website, HMG chief executive Derek Prince confirmed that hackers in August accessed a server storing “unencrypted files” containing sensitive information belonging to patients, employees and their dependents. HMG said it learned of the breach months later, in November.
HMG said the stolen information “likely contained” personal information, including names, dates of birth, contact information, social security numbers and employment-related records. as well as medical records, general health information and information about medical treatment, according to the notice. HMG also said the notice was published to inform “individuals for whom HMG has insufficient or outdated contact information” about the incident, suggesting that historical patient data may have been affected.
However, HMG admits that while it has tried to identify the specific data breached, “we have now determined that such identification is not possible”.
It’s not yet known why HMG was unable to identify the types of data that were stolen, and a company representative did not respond to TechCrunch’s questions.
HMG did not say in its announcement how many people are believed to be affected by the breach. However, a filing with the Texas attorney general filed by HMG on Monday confirms that approximately 75,000 Texans were affected by the breach. although it is not known how many non-state residents are affected.
HMG did not describe the nature of the cyberattack, but noted that “HMG worked diligently to ensure that the stolen files were not further shared by the hackers with other sources.” It is not uncommon for corporate victims of ransomware attacks to pay hackers a ransom demand in an attempt to limit the spread of stolen data, even though they have no guarantee that the hackers will hold up their end of the bargain.
TechCrunch asked HMG if it had paid a ransom to the hackers.
According to HMG’s data breach notification, the healthcare provider also has a number of facilities in Kansas — including Tanglewood Health and Rehabilitation and Smoky Hill Health and Rehabilitation — that were affected by the data breach.
HMG CEO Prince noted that the organization has “increased its data security protocols” in light of the incident, but did not specify what additional security measures were taken.
