PHI Exposed at HMG Healthcare, First Choice Dental and Lone Peak Physical Therapy

HMG Healthcare Data Breach Impacts 80,000 People

Healthcare services provider HMG Healthcare, LLC based in Texas recently reported the exposure and potential theft of the protected health information (PHI) of about 80,000 people in a cyberattack discovered in November 2023.

HMG Healthcare started a forensic investigation after detecting suspicious system activity. It was confirmed that unauthorized persons initially accessed its system in August 2023. The investigation likewise affirmed the copying of unencrypted files, however, it cannot be identified precisely what types of data the hackers obtained. There was no mention of why identification was not possible, for example, whether there was inadequate logging or if a detailed evaluation would be too timely and expensive. HMG Healthcare stated the files that were taken from its system possibly included data like names, birth dates, contact data, general health details, health treatment data, employment files and/or Social Security numbers.

The precise nature of the cyberattack was not mentioned; nevertheless, HMG Healthcare said that it worked hard to be sure the stolen data were not further exposed by the attackers, which indicates that the hackers asked for ransom and HMG Healthcare paid it to stop the exposure/sale of the stolen information. It was not revealed which group was responsible for the attack.

The breach has impacted the staff and residents at the following 40 HMG Healthcare-affiliated nursing centers in Kansas and Texas:

  • Accel at College Station
  • Arbrook Plaza
  • Arbor Court Retirement Community at Salina (Independent Living)
  • Arbor Court Retirement Community at Alvamar (Independent Living)
  • Arbor Court Retirement Community at Topeka (Independent Living)
  • Crowley Nursing and Rehabilitation
  • Cimarron Place Health & Rehabilitation Center
  • Deerbrook Skilled Nursing & Rehab
  • Friendship Haven Healthcare & Rehab Center
  • Forum Parkway Health & Rehabilitation
  • Green Oaks Nursing and Rehabilitation
  • Gulf Pointe Village (Assisted Living Only)
  • Harbor Lakes Nursing and Rehabilitation Center
  • Holland Lake Rehabilitation and Wellness Center
  • Hewitt Nursing and Rehabilitation
  • Lone Star Rehabilitation and Wellness Center
  • Mission Nursing and Rehabilitation Center
  • Methodist Transitional Care Center
  • Northgate Plaza (Legacy)
  • Park Manor of Conroe
  • Park Manor of BeeCave (Legacy)
  • Park Manor of CyFair
  • Park Manor of Humble
  • Park Manor of Cypress Station
  • Park Manor of Mckinney (Legacy)
  • Park Manor of South Belt
  • Park Manor of Quail Valley
  • Park Manor of The Woodlands
  • Park Manor of Westchase
  • Park Manor of Tomball
  • Pecan Bayou Nursing and Rehabilitation
  • Red Oak Health and Rehabilitation Center
  • Smoky Hill Health and Rehabilitation
  • Silver Spring Health & Rehabilitation Center
  • Stonegate Nursing and Rehabilitation
  • Stallings Court Nursing and Rehabilitation
  • Treviso Transitional Care
  • Tanglewood Health and Rehabilitation
  • Willowbrook Nursing Center

HMG Healthcare posted the substitute breach notice on its website advising the impacted persons to keep track of their credit reports and account statements to spot any suspicious transactions. There was no credit monitoring and identity theft protection services provided to the victims. HMG Healthcare stated it has improved its data security practices to stop the same cyberattacks and data breaches later on.

Patient Files Possibly Accessed at Lone Peak Physical Therapy

Lone Peak Physical Therapy is the owner of 10 physical therapy facilities in Montana. A break-in occurred at its Bozeman business office and clinic on October 21, 2023. Lone Peak detected the robbery on October 23, 2023 as its staff came back to work. It reported the robbery to the authorities and conducted an inventory to find out which products were stolen. A safe that contained patient payments, billing details, and laptops was stolen. The laptops were encrypted therefore the stored files were not accessed, nor used for network access. In case the burglar tries to pawn any stolen information, the Gallatin County Sheriff’s Department will be informed.

The office filing cabinets that contained hard copies of patient data were locked. Lone Peak Physical Therapy stated no hard copy seems to have been taken, but it’s possible that the files were read. The files included the data of 5,809 patients and as a safety precaution, those people were provided free credit monitoring services.

Lone Peak is sorry for the problems this situation might have created and is doing what is necessary to prevent similar incidents in the future.

Potential Exposure of PHI of First Choice Dental Patients

First Choice Dental manages 11 clinics around Madison and Dane County, WI. It recently submitted a data breach report to the Office for Civil Rights indicating that 1,000 patients were affected. Because this is a temporary notification, that number may be updated when the investigation is completed.

Based on its notification letters, there was unauthorized system activity discovered on October 22, 2023. A third-party cybersecurity company investigated the incident and confirmed the access to its network by an unauthorized third party. The investigation is still in progress and the breached data is still being assessed. First Choice Dental will mail formal data breach notifications to the impacted patients upon completion of the investigation and after file analysis has revealed the types of data exposed. In the meantime, patients were advised concerning the cyberattack by posting a notice on its website.

First Choice Dental immediately blocked any access to its system and has applied some extra safety measures to better secure patient information. The safety measures include:

  • adding an XDR/EDR solution on all computer and server endpoints
  • complete password resets for administrator accounts
  • deletion of unneeded administrator accounts
  • immutable off-site backups of critical servers and site servers
  • patching of the ESXiArgs vulnerability on its Vmware vSphere setting
  • setup of a fine-grained AD password policy for all end users

First Choice Dental is likewise changing its multifactor authentication and firewall and has deactivated remote access until the completion of the implemented changes. First Choice Dental should be credited for its transparency regarding the data breach and for giving a complete temporary notification to patients.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at