Hospital and clinic operator HCA Healthcare has announced that it experienced a significant cyberattack, posing a risk to the data of at least 11 million patients.
The breach affects patients in 20 states, including California, Florida, Georgia, and Texas. HCA Healthcare, headquartered in Nashville, disclosed that the compromised data includes potentially sensitive information such as patients' names, partial addresses, contact details, and upcoming appointment dates.
This breach, discovered by the company on July 5, is considered one of the largest healthcare breaches in history. HCA Healthcare revealed that the hackers accessed various types of information, including patient names, cities, states, zip codes, emails, telephone numbers, dates of birth, genders, service dates, locations, and next appointment dates.
"This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages," the company said in its Monday announcement.
"The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations, and will offer credit monitoring and identity protection services, where appropriate," it said.
If the estimated number of affected patients reaches 11 million, this breach would rank among the top five healthcare hacks reported to the Department of Health and Human Services Office of Civil Rights. The most severe breach in this sector occurred in 2015 when medical insurer Anthem was compromised, affecting 79 million individuals. In that case, Chinese spies were indicted, but there is no evidence that the stolen data was ever sold.
According to the Associated Press, the suspected hacker behind the HCA breach initially posted a sample of the stolen data online on July 5, attempting to sell it and potentially extort HCA. The hacker claimed to possess 27.7 million records and subsequently released a file on Monday containing nearly 1 million records from HCA's San Antonio division.
To ensure the legitimacy of any invoices or billing requests, HCA is advising patients to contact the chain at (844) 608-1803 before making any payments. The company has reported the incident to law enforcement and engaged third-party forensic and threat intelligence advisors.
HCA maintains that the breach, which exposed approximately 27 million rows of data related to around 11 million patients, did not include highly sensitive information such as patients' treatment or diagnosis details, payment information, passwords, driver's license numbers, or Social Security numbers.
Although DataBreaches.net initially reported on the hack and shared a code sample purportedly offered by the hacker, HCA's spokesperson clarified that the code was an email template developed by the company, and the client ID mentioned referred to a doctor's office or facility, not a patient.
HCA Healthcare assured that it has not discovered any evidence of malicious activity on its networks or systems related to this incident. As an immediate containment measure, the company has disabled user access to the storage location.
HCA intends to reach out to affected patients to provide additional information and support, complying with legal and regulatory obligations. It will also offer credit monitoring and identity protection services where necessary. HCA Healthcare operates more than 180 hospitals and 2,000 care locations, including walk-in clinics, across 20 states and the U.K., according to its website.
