Privacy, Critical Infrastructure Security, Threat Management

Data for 11 million patients stolen in breach of HCA Healthcare

Hospital Corporation of America

One of the largest healthcare providers in the country confirmed a data security incident Monday, saying at least 11 million patients across 20 states had their data stolen.

Tennessee-based HCA Healthcare, which runs 180 hospitals and 2,300 healthcare sites across the United States and was founded by the family of former Senate Republican Majority Leader Bill Frist, said the breach occurred through the compromise of an external storage location for an unnamed software system used to automate the formatting of emails.

The provider said the breach was “recently discovered” and that the stolen data contains information “used for email messages, such as reminders that patients may wish to schedule an appointment and education on healthcare programs and services.” User access to the storage was disabled upon learning of the incident.

Thus far, the types of data confirmed as stolen include patient names, city, state, zip code, email, telephone number, date of birth, gender, patient service data, location and next appointment dates.

“The investigation is ongoing and we cannot confirm the number of individuals whose information was impacted,” the announcement states. “HCA Healthcare believes that the list contains approximately 27 million rows of data that may include information for approximately 11 million HCA Healthcare patients.”

The company gave a qualified statement expressing confidence that more sensitive forms of data were not taken, though cybersecurity experts routinely caution that the full impact of a breach is not always clear in the immediate wake of an incident.

“We do NOT believe that clinical information (such as treatment, diagnosis, or condition), payment information (such as credit card or account numbers), or other sensitive information (such as passwords, driver’s license or social security number) is involved,” the company wrote.

According to HCA, there have been no care or service disruptions related to the incident, nor has it impacted day-to-day operations, and the company said it does not believe it will impact business, operations or financial results.

Thus far, states with affected facilities includes Alaska, California, Colorado, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Louisiana, Missouri, Mississippi, Nevada, New Hampshire, North Carolina, South Carolina, Tennessee, Texas, Utah and Virginia.

The confirmation was made five days after DataBreaches.net posted a screenshot of hackers advertising sale of the data on an underground online forum, which gave HCA Healthcare a deadline of July 10 to “meet the demands.” After being contacted, the seller told the site that they hacked the automated formatting system and contacted the provider on July 4.

Screenshot of a hacker advertising HCA Healthcare data. (Source: DataBreaches.net)
Screenshot of a hacker advertising HCA Healthcare data. (Source: DataBreaches.net)

The provider is offering credit monitoring to affected victims, and urged patients to reach out to a listed number if they receive a potentially fraudulent invoice that includes the stolen data. HCA Healthcare said it reported the incident to law enforcement and hired an outside threat intelligence provider and forensic investigator, claiming there is currently no evidence of malicious activity indicating a compromise of their networks and systems.

SC Media reached out to a media contact for HCA Healthcare and left a voicemail seeking further comment.

If confirmed, the 11 million figure would eclipse the largest healthcare data breach of 2022, which was the 4.11 million patients affected by a ransomware attack on printing and mailing vendor OneTouchPoint.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds