Cyber Incident Victim: HomecareGPS
Date:
Jun 2023
Location:
United States of America
Summary
HomecareGPS, operating as Elgon Information Systems, experienced a hacking/IT incident compromising protected health information of 31,248 individuals, prompting notification to affected parties and a filing with federal health authorities. The unauthorized access likely exposed patient identifiers and associated healthcare data, though specific compromised details remain undisclosed. The Massachusetts-based company, which provides compliance software for home healthcare agencies, confirmed the breach after discovering sensitive consumer data was accessed by an unauthorized party.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 2, 2023, Elgon Information Systems, operating under the name HomecareGPS, filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR). The company discovered that an unauthorized party had gained access to confidential consumer information, prompting an investigation into the security incident. According to the HHS-OCR filing, the breach involved a hacking or IT-related incident affecting the protected health information (PHI) of 31,248 individuals. HomecareGPS initiated a review of compromised files to identify the specific data types exposed and determine the scope of impacted consumers. While the company did not publicly disclose technical details about the attack vector or intrusion timeline, its regulatory filing confirmed the incident resulted in unauthorized access to sensitive information. Following confirmation of the data leak, HomecareGPS began sending notification letters to all affected individuals on the same date as the HHS-OCR submission. The breach investigation remained ongoing at the time of the notification, with no additional details released regarding containment measures or forensic findings.
The compromised information qualified as protected health information under healthcare privacy standards, indicating it contained both medical data and personal identifiers that could link records to specific individuals. While HomecareGPS did not enumerate the exact data elements exposed, PHI typically includes medical history, treatment details, demographic information, insurance records, and diagnostic results based on industry definitions. The Worcester, Massachusetts-based company provides specialized software solutions to home healthcare agencies, focusing on compliance management and operational efficiency tools for an industry handling sensitive patient data. With approximately 25 employees and $5 million in annual revenue, HomecareGPS develops customizable software platforms that process client healthcare information as part of its core business operations. The breach notification process adhered to federal healthcare breach reporting requirements through the timely HHS-OCR filing and individual consumer communications. No information was provided regarding third-party forensic involvement, system remediation efforts, or regulatory penalties stemming from the incident at the time of disclosure.