At least 11 million potentially compromised in HCA hack

by John R. Fischer, Senior Reporter | July 18, 2023

The information of at least 11 million people in a data breach at HCA Healthcare facilities.

In what is one of the biggest healthcare breaches in history, at least 11 million patients across the U.S. who sought care at an HCA Healthcare facility may have had potentially sensitive information hacked.

The attacker breached an external storage location for automating the format of email messages on July 5, accessing 27 million rows of data that contained patient names, cities, states, zip codes, email addresses, telephone numbers, dates of birth, gender, patient service dates, locations, and next appointment dates.

The attack affects patients in 20 states, including California, Florida, Georgia, and Texas, reported CBS News.

Your Centrifuge Specialty Store

Quality remanufactured Certified Centrifuges at Great prices! Fully warranted and backed by a company you can trust! Call or click for a free quote today! www.Centrifugestore.com 800-457-7576

HCA says that the attackers did not steal information on patients' treatment or diagnosis, payment information, passwords, driver's license numbers, or social security numbers.

But DataBreaches.net, which first " target="blank">reported the incident, says that it has been in contact with the hacker who told it that they originally gave HCA until July 10 to pay an unspecified ransom, and that they “have emails with health diagnosis that correspond to a clientID.” While they did not provide specific evidence of this, they did send a sample of code that said, "Following up about your lung cancer assessment,” wrote DataBreaches.net.

"The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations, and will offer credit monitoring and identity protection services, where appropriate," said HCA in a statement.

The healthcare provider, which is based in Nashville, runs 180 hospitals and approximately 2,300 ambulatory care locations in 20 states and the U.K. It is warning patients not to pay any invoices or bills without calling it to verify if the claims are legitimate.

The attack, it says, has not disrupted day-to-day operations, and it does not expect it to affect its business or finances. It has not identified any “malicious activity on HCA Healthcare networks or systems related to this incident,” but has contacted law enforcement, as well as third-party forensic and threat intelligence advisors to investigate the incident.

The data is now up for sale, according to DataBreaches.net.

Back to HCB News



You Must Be Logged In To Post A Comment Sign In If you've already created an account, use your email address and password to sign in using the form below. Login Problems: Click here if you are having login issues. Email address: Password: Forgot your password? Login Problems? View our Legal Notice and Privacy Notice Register Registration is Free and Easy. Enjoy the benefits of The World's Leading New & Used Medical Equipment Marketplace. Register Now!