HCA Healthcare, one of the largest health systems in the United States, has suffered a major data breach that is understood to have affected 11 million patients. A hacker gained access to a patient list that was used for email messages such as sending appointment confirmations and messages relating to HCA Healthcare’s programs and services.
The hacker behind the attack contacted HCA Healthcare on July 4, 2023, and issued certain demands, listed the stolen data for sale on a dark web forum on July 5, 2023, and gave HCA Healthcare until July 10, 2023, to meet their demands. The stolen list contains more than 27 million rows of data, which equates to around 11 million patients. HCA Healthcare issued a press release confirming the data breach on July 10, 2023.
HCA Healthcare said the list did not include any clinical information, financial information, or Social Security numbers, only names, email addresses, phone numbers, city/state/zip code, gender, dates of birth, and appointment information. When the breach was detected, user access to the compromised storage location was blocked and an investigation was launched. The investigation confirmed that the breach was confined to an external storage location that was used exclusively for formatting email messages. HCA Healthcare’s internal systems were not compromised, there was no impact on patient care, and no disruption to its operations. HCA Healthcare said it does not anticipate the data breach having any impact on its business, operations, or financial results.
HCA Healthcare has confirmed the names of the healthcare facilities affected, which are located in 20 U.S. states: Alaska, California, Colorado, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Louisiana, Missouri, Mississippi, Nevada, New Hampshire, North Carolina, South Carolina, Tennessee, Texas, Utah, or Virginia. Affected individuals will be notified by mail and will be offered complimentary credit monitoring services.
While the total number of individuals affected has yet to be confirmed, it ranks as one of the largest healthcare data breaches of all time and the largest breach of 2023. Individuals affected by the incident may not have had highly sensitive information stolen; however, since phone numbers and email addresses have been obtained patients could be targeted in phishing, SMS message, and telephone-based scams, so they should exercise caution and be vigilant against misuse of their information and sign up for the free credit monitoring services.