HMSA Email Breach Exposes PII & PHI

Health Management Systems of America, a Detroit-based behavioral healthcare provider, experienced a security incident involving unauthorized access to a single employee email account, exposing both personally identifiable information (PII) and protected health information (PHI) of certain individuals.

The company discovered the breach on Dec. 9, 2024, after detecting suspicious activity linked to a spear phishing campaign. According to the official notice of security incident posted on Nov. 11, 2025, an unauthorized actor gained access to the email account and acquired certain emails.

Information exposed as a result of this breach may include name, date of birth, Social Security or Tax ID number, address, medical information and health insurance details.

The severity of this breach is notable due to the nature of the information involved and the method of compromise. Spear phishing campaigns are targeted attacks designed to trick employees into revealing login credentials, which can lead to unauthorized access to confidential communications.

In this case, the attacker was able to acquire emails containing sensitive data, underscoring the importance of vigilance against phishing tactics.

Health Management Systems of America's response

After identifying the incident, Health Management Systems of America (HMSA) immediately retained an IT security firm to investigate the breach and assess the scope of the compromise.

The company also notified the Department of Health and Human Services, as required for incidents involving protected health information. HMSA’s legal and data review teams are working to determine exactly what information was involved and to identify the individuals affected.

Those whose information was included in the compromised emails will receive a notification letter by U.S. mail at their last known address. If HMSA is unable to locate a current address for an affected individual, substitute notice will be provided on the company’s website.