HCA Healthcare reports data breach that could impact 11 million patients
On Monday, the health care giant reported that hackers stole personal information, including patient names and dates of birth, and posted it on a data breach forum.
Personal information for millions of HCA Healthcare patients in 20 states has been stolen and is now available on a data breach forum. On Monday, the company discovered that a list of certain information with respect to some of its patients was made available by an “unauthorized party” on an online forum, the company said in a statement. The list includes: Patient name, city, state, and zip code; patient email, telephone number, date of birth, gender; and patient service date, location and next appointment date.
“There has been no disruption to the care and services HCA Healthcare provides to patients and communities,” health system executives said. “This incident has not caused any disruption to the day-to-day operations of HCA Healthcare.”
HCA Healthcare, which is the nation’s largest provider of health care services comprising 180 hospitals and approximately 2,300 ambulatory sites of care, has confirmed that the list contains information used for email messages, such as reminders that patients may wish to schedule an appointment and education on healthcare programs and services.
However, the list does not include critical medical records, which includes: Clinical information, such as treatment, diagnosis, or condition; payment information, such as credit card or account numbers; and sensitive information, such as passwords, driver’s license or social security numbers
This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages, according to the company.
Related: My health, my data: HIPAA class action lawsuits mount against health care providers
HCA Healthcare, whose facilities include surgery centers, freestanding ERs, urgent care centers and physician clinics, reported this event to law enforcement and retained third-party forensic and threat intelligence advisors. While the investigation is ongoing, the company has not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident.
The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations, and will offer credit monitoring and identity protection services, where appropriate.
HCA Healthcare has created a dedicated webpage at hcahealthcare.com/privacyupdate to keep its patients informed.
The federal government requires organizations to report any breach of health data affecting more than 500 people. The health care sector suffered about 295 breaches in the first half of 2023, according to the HHS Office for Civil Rights data breach portal.