System hacked warning alert on notebook (Laptop). Cyber attack on computer network, Virus, Spyware, Malware or Malicious software. Cyber security and cybercrime. Compromised information internet.
(Credit: PUGUN SJ / Getty Images)

A data leak over the summer may have given hackers access to health records and personal information for both residents and staff at 40 nursing homes, according to the healthcare services provider whose servers were compromised. 

The company, HMG Healthcare, said earlier this month that it first identified the leak in November and traced the data breach incident back to August. 

Although the exact information stolen is unidentifiable, HMG has taken steps to try and mitigate harm and make sure data was not spread further, as well as increasing their “data security protocols,” the company said in a letter sent to affected employees and residents. 

“We sincerely apologize for any inconvenience and concern this incident causes you,” HMG CEO Derek Prince said in a statement. “HMG will continue to do everything we can to correct this situation and improve our protections for you and others going forward.”

These kinds of costly leaks are why new cybersecurity is one of the highest tech priorities for healthcare organizations, McKnight’s reported last month.

Senior care and living operations remain one of the most vulnerable industries to these attacks, due to a number of factors from weak passwords and staff errors, to outright theft, security experts have warned.

One recent settlement involving a data breach ended up costing one senior living operator, Acts Retirement-Life Communities $1 million.

The HMG leak possibly occurred due to a ransomware attack, and the company may have been forced to negotiate with the hackers to prevent further damage, one cybersecurity company exec speculated. 

“Because they were compromised and couldn’t completely guarantee nothing was visually seen and copied via screen shot or other means, they had to publicly disclose the breach,” said Bobby Cornwall, vice president for strategic partner enablement and integration at SonicWall. “They would need to be careful with their statement and disclosure so as not to be put in a situation that could result in larger fines due to HIPAA violations.”