A major HCA Healthcare data breach has been reported this week after the discovery that a hacker stole the data of an estimated 11 million patients, then offered the data for sale when HCA Healthcare failed to meet the hacker’s demands.
HCA Healthcare is one of the largest health systems in the United States, operating 182 hospitals and more than 2,300 care sites. HCA Healthcare announced the data breach on July 10, 2023, on the hacker’s deadline for meeting their demands. It is unclear what those demands were. The hacker posted on a dark net forum on July 5, 2023, claiming responsibility for the attack and issued a deadline of July 10, 2023, for their demands to be met, after which the data was listed for sale.
According to HCA Healthcare’s announcement, its systems were not compromised in the attack. The hacker gained access to an external storage location that was used for formatting emails such as appointment reminders and marketing emails about HCA Healthcare’s programs and services. HCA Healthcare said the breach does not appear to have involved Social Security numbers, financial information, or clinical information. The initial findings of the investigation indicate the only information compromised was full name, city/state/zip code, email addresses, telephone number, birth date, gender, service date(s)/location(s), and next appointment date.
The nature of the stolen data means patients are not immediately at risk of identity theft; however, they could be subject to a variety of scams, such as phishing, smishing, and vishing. HCA Healthcare said affected individuals will be offered credit monitoring services as a precaution. The stolen data included 27.7 million lines of data across 17 files, which equates to around 11 million individuals who received services from HCA Healthcare and physicians’ offices between 2021 and 2023. The stolen data relates to more than 1,000 healthcare facilities in 20 states. The hacker does not appear to have misused the data; however, since the data has now been listed for sale, misuse may occur in the coming days, months, and years. HCA’s notice about the security incident can be accessed here.
The incident is still being investigated with assistance provided by third-party digital forensics experts and law enforcement has been notified about the attack. HCA Healthcare said the attack has not affected its business operations or had an impact on patient care, and the attack is not anticipated to affect its financial results. At 11 million+ records, the HCA Healthcare data breach is the largest healthcare data breach to be reported by a HIPAA-regulated entity so far in 2023 and ranks as one of the top 5 healthcare data breaches of all time.