HCA Healthcare discloses data breach affecting as many as 11 million patients

HCA Healthcare says an “unauthorized party” released some patient information on an online forum, and as many as 11 million patients could be affected.

The company, which operates 180 hospitals and 2,300 ambulatory sites, announced the data breach Monday and described it as a “theft.” It could be the largest breach of health data in 2023.

• Read more: Here are the 10 largest data breaches in the first half of 2023

HCA says the information includes patients, names, addresses, dates of birth and information on patient service dates, locations, and the dates for the next appointments.

“This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages,” HCA said in a statement.

The company said the list contained information used for email messages, such as reminders of upcoming appointments. The information has been placed for sale online on a data breach forum, CNBC reports.

HCA says the breach did not include clinical information, such as treatment or diagnosis, and it didn’t include payment information, such as credit cards or account numbers. The company says the breach did not include other sensitive information, including Social Security numbers, driver’s license numbers or passwords.

The company says there has been no disruption to patient care or services.

HCA says it has notified law enforcement of the breach and also engaged forensic and threat intelligence consultants.

While HCA says the investigation continues, the company says it “has not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident.”

• Read more: Paying the Ransom: A Special Report

HCA says it is offering credit monitoring and identity protection services. If patients receive a billing statement or invoice and wish to confirm it’s legitimate, HCA says they can call 844-608-1803.

The company says it doesn’t believe the breach “will materially impact its business, operations or financial results.” (HCA also offered a full list of facilities where patients could be affected.)

Cybersecurity experts say they’ve seen a rise in ransomware attacks and breaches in the past few months. Some attacks have disrupted patient care, John Riggi, national advisor for cybersecurity and risk for the American Hospital Association, told Chief Healthcare Executive® in a recent interview.

“I have seen, unfortunately, an increase in ransomware high impact ransomware attacks just in the past six weeks, and with multiple facilities being hit,” Riggi says.

HCA did not describe the breach as a ransomware attack. The company says it has “robust security strategies, systems, and protocols in place to help protect data.” HCA also said it disabled user access to the storage location where the breach occurred as a containment measure.

Tens of millions of Americans have already been affected by breaches of private health information in 2023.

The federal government requires organizations to report any breach of health data affecting more than 500 people. More than 300 breaches affecting at least 500 people have been reported by the U.S. Department of Health and Human Services.

Managed Care of North America, a dental insurer, has been hit with the largest breach of health data reported on the HHS database this year. The breach affected more than 8.8 million Americans, according to HHS.

In a public statement, MCNA says it determined someone “was able to see and take copies of some information in our computer system between February 26, 2023 and March 7, 2023.”

Hospital leaders must establish cybersecurity as a high priority and a risk issue threatening patient safety, Riggi says. He says the key is “imbuing this culture of cybersecurity within a healthcare organization, helping the staff first understand that cyber hygiene is as important as medical hygiene to protect the patients.”

Steve Cagle, CEO of Clearwater, a cybersecurity firm, says healthcare organizations must recognize the threat of cyberattacks to patient safety.

“I think at the center of everything, we really should be thinking about the patient first,” Cagle says.

(In an interview with Chief Healthcare Executive, Steve Cagle discusses building a culture of cybersecurity.)