HCA Says Up to 11M Patients Affected by Email Data HackHospital Chain Notifies SEC, Says Incident Not Likely to Affect Financials
Information on up to 11 million patients of hospital chain HCA Healthcare is up for sale on a dark web forum. HCA Healthcare on Monday confirmed an incident involving data theft from an external location used to automate the formatting of email messages but said it is still investigating.
If HCA Healthcare confirms that 11 million patients were indeed affected by the incident, the health data breach would by far be the largest so far this year reported to federal regulators in terms of the number of individuals affected (see: Midyear Health Data Breach Analysis: The Top Culprits).
In a statement accompanying its SEC filing to the U.S. Securities and Exchange Commission, the Nashville, Tennessee-based healthcare company said it is investigating a data security incident involving patient information found listed on an online forum.
HCA Healthcare in its public statement Monday said its investigation is ongoing and while it cannot yet confirm the number of individuals whose information was affected, it believes that the compromised list contains approximately 27 million rows of data "that may include information for approximately 11 million HCA Healthcare patients."
Individuals who received care at a hospital or physician office that HCA Healthcare owns or operates might be included in the compromised data, the company said. "We are working as quickly as possible to specifically identify and contact patients whose data is impacted by this incident."
An "unknown and unauthorized party" posted the list on the forum, and it contains patient information used for email messages, such as appointment scheduling reminders and education on healthcare programs and services, HCA said in an FAQ posted on its website.
That information includes patient name, city, state, ZIP code, email, telephone number, birthdate and gender. Also contained in the list are patient service dates, location and next appointment dates.
The compromised information does not include clinical information, such as treatment, diagnosis, or condition; payment information, such as credit card or account numbers; or passwords, driver's license numbers or Social Security numbers, HCA said.
Operations Not Affected
The incident has not disrupted day-to-day operations or healthcare services HCA Healthcare provides to patients, the company told the SEC.
"Based on the information known at this time, the company does not believe the incident will materially impact its business, operations or financial results," HCA told the U.S. regulator.
HCA Healthcare, which operates 182 hospitals and 2,300 other medical care facilities in 20 states and the United Kingdom, last year reported revenue of more than $60 billion.
HCA Healthcare said it reported the incident to law enforcement and has retained third-party forensic and threat intelligence advisers.
"While our investigation is ongoing, the company has not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident," the company told the SEC.
HCA said it disabled user access to the external storage location as an immediate containment measure. The company also said it will offer credit monitoring and identity protection services to affected individuals "where appropriate."
"HCA Healthcare also has several robust security strategies, systems and protocols in place to help protect data," the company said in its statement. Efforts to protect data include "ongoing education for our colleagues, physicians, vendors and others to maintain awareness of safe practices that can help ensure compliance and the security of our information," the company said.
The blog Databreaches.net on July 5 reported that HCA patient data had been posted for sale on a hacker forum and that HCA had been given until Monday to respond to an extortion demand.
HCA did not immediately respond to Information Security Media Group's request for additional details about the incident, including whether the compromise involved a third-party vendor.