HMSA Data Breach Exposes Sensitive Health and Personal Information
Hawaii Medical Service Association (HMSA) disclosed a data breach on December 9, 2024, after detecting unauthorized access to a single employee email account due to a spear phishing attack. The incident prompted an internal investigation, which confirmed that an unauthorized third party may have accessed and acquired sensitive personal identifiable information (PII) and protected health information (PHI) contained in the compromised emails.
While HMSA has not publicly detailed the specific types of data exposed as of December 16, 2025, the breach notice indicates that affected individuals will receive a list of the impacted information. The organization has posted a breach notification on its website, though the full scope of the incident—including the number of individuals affected—remains unclear. The breach highlights ongoing risks posed by targeted phishing campaigns in the healthcare sector.
HMSA cybersecurity rating report: https://www.rankiteo.com/company/hmsa
"id": "HMS1765907786",
"linkid": "hmsa",
"type": "Breach",
"date": "12/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Health Insurance',
'name': 'HMSA',
'type': 'Healthcare'}],
'attack_vector': 'Spear Phishing',
'customer_advisories': 'List of specific types of sensitive information '
'impacted to be provided to affected individuals',
'data_breach': {'data_exfiltration': 'Possible',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal Identifiable '
'Information',
'Protected Health Information']},
'date_detected': '2024-12-09',
'date_publicly_disclosed': '2025-12-16',
'description': 'HMSA experienced a data breach where sensitive personal '
'identifiable information and protected health information may '
'have been compromised due to unauthorized access to a single '
'email account via a spear phishing campaign.',
'impact': {'data_compromised': 'Sensitive personal identifiable information '
'and protected health information',
'identity_theft_risk': 'High',
'systems_affected': 'Single email account'},
'initial_access_broker': {'entry_point': 'Email Account'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'root_causes': 'Spear phishing attack leading to '
'unauthorized access to an email '
'account'},
'references': [{'date_accessed': '2025-12-16',
'source': 'HMSA Breach Notice'}],
'response': {'communication_strategy': 'Website breach notice',
'incident_response_plan_activated': 'Yes'},
'title': 'HMSA Data Breach Due to Spear Phishing',
'type': 'Data Breach',
'vulnerability_exploited': 'Email Account Compromise'}