HCA Healthcare, a for-profit operator of hospitals and clinics in the US, reported a significant data breach that puts the personal information of at least 11 million patients in danger.
The Nashville-based business said on Monday, July 10, that patients in 20 states are impacted, including California, Florida, Georgia, and Texas. Information retrieved may include patients' names, partial addresses, phone numbers, and scheduled appointment dates, all of which might be considered private.
The breach, which was discovered on July 5, is one of the largest in the history of the healthcare industry, as reported by CBS News.
Massive Healthcare Data Leak
According to HCA Healthcare, the following data was acquired by the hackers:
- Patient name, address, birth date, and gender
- Contact information such as email address and phone number
- Date of service, location, and next scheduled visit for the patient
According to a statement released by the firm on Monday, the theft seems to have occurred at a remote storage facility used only for the automated formatting of email messages.
"The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations, and will offer credit monitoring and identity protection services, where appropriate," the company said in its press release.
HCA said it had notified authorities and hired outside forensic and threat intelligence experts.
It also stated that potentially sensitive information such as patients' treatment or diagnosis; payment information; passwords; driver's license numbers; or Social Security numbers were not compromised in the hack.
This assertion, however, seems to be at odds with the findings of the website DataBreaches.net, which initially reported the hacking. DataBreaches published a snippet of code that apparently came from a hacker offering their services, and it included the phrase, "Following up about your lung cancer assessment." A person's clinical data may be included in this code if it is legitimate.
In response to this incident, HCA said it found no indication of any malicious activity on its networks or systems.
As an immediate containment measure, the company cut off access to the storage facility, and it has plans to get in touch with affected patients to offer them additional information and support, as required by law and regulation. It will also provide credit monitoring and identity protection services to those who need them.
HCA is advising its patients to contact the main line at (844) 608-1803 before responding to any purported bills or billing demands.
According to the HCA website, the corporation has more than 180 hospitals and 2,000 care facilities (including walk-in clinics) in 20 different countries.
