HCA data breach affects 11 million patients

HCA Healthcare, one of the largest health systems in the country, recently disclosed a data breach affecting at least 11 million patients. The size of the breach, which includes approximately 27 million lines of data, makes it one of the biggest events in healthcare history and reinforces the challenges of securing data in a cybercrime-rich environment. 

In a public announcement, the health system said that “a list of certain information with respect to some of its patients was made available by an unknown and unauthorized party on an online forum.” 

The data includes basic demographic data elements such as names, addresses, emails, phone numbers, and dates of birth, as well as patient service dates, locations, and next appointment dates. 

“HCA Healthcare has confirmed that the list contains information used for email messages, such as reminders that patients may wish to schedule an appointment and education on healthcare programs and services,” the announcement said. “This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages.” 

However, the list does not include any clinical information, payment information, or other sensitive information such as passwords or social security numbers, the health system stressed. There has been no disruption to care or other day-to-day operations across the health system. 

According to AP News, a hacker posted a purported sample of the stolen data on July 5 in an effort to extort HCA by offering to sell the data to other cybercriminals. That file contained approximately 1 million records from HCA’s San Antonio, Texas division.  

“HCA Healthcare reported this event to law enforcement and retained third-party forensic and threat intelligence advisors,” the notice continues. “While our investigation is ongoing, the company has not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident.”  

“The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations, and will offer credit monitoring and identity protection services, where appropriate.” 

In only a matter of days, patients filed the first class action suit against HCA in relation to the data breach, alleging negligence on the part of HCA and the “failure to implement reasonable data security measures to adequately protect” the data. 

The lawsuit alleges that HCA “could have prevented this data breach by properly securing and encrypting the files and file servers containing the private information.” 

“[HCA Healthcare] was, or should have been, fully aware of the unique type and the significant volume of data on [its] server(s), amounting to millions of individuals’ detailed private information, and, thus, the significant number of individuals who would be harmed by the exposure of the unencrypted data,” the filing continues.  

With such a large number of patients involved, potentially placing the breach among the top five in healthcare history – there will no doubt be more lawsuits in the coming weeks. 

HCA Healthcare is performing the standard action of offering credit monitoring and identity theft protection to individuals involved in the breach and is cautioning patients to be wary of any phone calls, text messages, or other communications appearing to come from its systems, especially when bill payments or other financial issues are involved. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.