HMSA Data Breach Exposes Sensitive Personal and Health Information
Health Management Systems of America (HMSA), a Detroit-based behavioral healthcare provider, disclosed a data breach stemming from a spear phishing attack that compromised a single employee email account. The incident was discovered on December 9, 2024, though HMSA only publicly acknowledged it in a Notice of Security Incident posted on November 11, 2025.
The breach occurred when an unauthorized actor gained access to the email account, which contained sensitive personally identifiable information (PII) and protected health information (PHI). An IT security firm was engaged to investigate, and the U.S. Department of Health and Human Services was notified. While the full scope of exposed data remains under review, potentially compromised information includes:
- Names
- Addresses
- Phone numbers
- Social Security or Tax ID numbers
- Medical records
- Health insurance details
HMSA is working with legal and data review teams to identify affected individuals, who will receive direct notification by mail. Those without current addresses will be notified via a substitute notice on HMSA’s website.
The law firm Shamis & Gentile P.A. is investigating the breach, citing potential legal recourse for impacted individuals, including compensation for financial losses, time spent mitigating the breach, or emotional distress. The incident highlights ongoing risks in healthcare cybersecurity, particularly from targeted phishing attacks.
Source: https://www.claimdepot.com/investigations/hmsa-data-breach-2025
Healthcare Systems of America cybersecurity rating report: https://www.rankiteo.com/company/healthcare-systems-of-america
"id": "HEA1765421150",
"linkid": "healthcare-systems-of-america",
"type": "Breach",
"date": "12/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Healthcare',
'location': 'Detroit, USA',
'name': 'Health Management Systems of America (HMSA)',
'type': 'Behavioral Healthcare Company'}],
'attack_vector': 'Spear Phishing',
'customer_advisories': 'Individuals whose data was involved will receive a '
'notice letter by mail; substitute notice will be '
'provided on HMSA’s website if a current address '
'cannot be found.',
'data_breach': {'data_exfiltration': 'Emails acquired by unauthorized actor',
'personally_identifiable_information': ['Name',
'Address',
'Phone number',
'Social Security or '
'Tax ID numbers',
'Medical information',
'Health insurance '
'details'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information',
'Protected Health Information']},
'date_detected': '2024-12-09',
'date_publicly_disclosed': '2025-11-11',
'description': 'HMSA discovered unauthorized activity involving a single '
'email account as a result of a spear phishing campaign. The '
'breach exposed sensitive personally identifiable information '
'and protected health information of individuals.',
'impact': {'data_compromised': 'Sensitive personally identifiable information '
'and protected health information',
'identity_theft_risk': 'High',
'systems_affected': 'Single email account'},
'initial_access_broker': {'entry_point': 'Spear phishing campaign'},
'investigation_status': 'Ongoing',
'recommendations': ['Enroll in free credit monitoring and identity protection '
'services if offered',
'Monitor financial statements for suspicious activity',
'Place a fraud alert and request credit reports from '
'major credit bureaus',
'Seek legal help to understand rights and pursue '
'compensation'],
'references': [{'source': 'Shamis & Gentile P.A.'}],
'regulatory_compliance': {'regulatory_notifications': 'Department of Health '
'and Human Services'},
'response': {'communication_strategy': 'Notice of Security Incident posted on '
'website; affected individuals to '
'receive notice letters by mail',
'law_enforcement_notified': 'Department of Health and Human '
'Services notified',
'third_party_assistance': 'IT security firm hired for '
'investigation'},
'title': 'Health Management Systems of America (HMSA) Data Breach',
'type': 'Data Breach',
'vulnerability_exploited': 'Compromised email account'}