Health Management Systems of America Updates Data Breach Disclosure

Health Management Systems of America, a Detroit-based behavioral healthcare provider, experienced a security incident involving unauthorized access to a single employee email account, exposing both personally identifiable information (PII) and protected health information (PHI) of certain individuals.

The company discovered the breach on Dec. 9, 2024, after detecting suspicious activity linked to a spear phishing campaign. According to the official notice of security incident posted on Nov. 11, 2025, an unauthorized actor gained access to the email account and acquired certain emails.

On March 6, 2026, the notice of security incident was updated to disclose that the following types of information was exposed: insurance claims information, employee assistance program information, authorization of services, demographic information, driver's licenses, Social Security numbers, chart numbers, login account information, and/or financial account information.

The severity of this breach is notable due to the nature of the information involved and the method of compromise. Spear phishing campaigns are targeted attacks designed to trick employees into revealing login credentials, which can lead to unauthorized access to confidential communications.

In this case, the attacker was able to acquire emails containing sensitive data, underscoring the importance of vigilance against phishing tactics.

Health Management Systems of America's response

After identifying the incident, Health Management Systems of America (HMSA) immediately retained an IT security firm to investigate the breach and assess the scope of the compromise.

The company also notified the Department of Health and Human Services, as required for incidents involving protected health information. HMSA’s legal and data review teams are working to determine exactly what information was involved and to identify the individuals affected.

Those whose information was included in the compromised emails will receive a notification letter by U.S. mail at their last known address. If HMSA is unable to locate a current address for an affected individual, substitute notice will be provided on the company’s website.