HCA Healthcare reports data breach potentially impacting 11M patients

HCA Healthcare reported Monday that hackers stole personal information including patient names and dates of birth and posted it online.

The Nashville, Tennessee-based health system said the information was taken from an external storage location exclusively used to automate the formatting of email messages.

The healthcare giant confirmed in an online statement that breached information posted online included patient name, city, state and zip code; patient email, telephone number, date of birth, gender; and patient service date, location and next appointment date.

The hackers did not access clinical information, such as treatment, diagnosis, or condition or financial information such as credit card or account numbers, HCA Healthcare said. 

The data posted online also did not include sensitive information, such as passwords, driver’s licenses or social security numbers.

The health system said the investigation into the data security incident is ongoing and it cannot confirm the number of individuals impacted.

The data lists could contain approximately 27 million rows of data that may include information for approximately 11 million HCA Healthcare patients, the health system said in an online FAQ posted to its website. It did not disclose when the data was posted to the forum.

HCA Healthcare comprises 180 hospitals and approximately 2,300 ambulatory sites of care, including surgery centers, freestanding ERs, urgent care centers, and physician clinics, in 20 states and the United Kingdom.

The data theft impacted most of the health systems' hospitals—171 hospitals across 19 states, according to HCA on its online FAQ post. And hundreds of physician practices also were potentially impacted.

"There has been no disruption to the care and services HCA Healthcare provides to patients and communities. This incident has not caused any disruption to the day-to-day operations of HCA Healthcare. Based on the information known at this time, the company does not believe the incident will materially impact its business, operations or financial results," health system executives said.

HCA Healthcare reported this event to law enforcement and retained third-party forensic and threat intelligence advisors. The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support.

HCA plans to offer credit monitoring and identity protection services, where appropriate.

Dror Liwer, co-founder of cybersecurity company Coro, said the latest data security incident highlights that healthcare organizations need to adhere to the strictest security protocols to protect patient data, wherever it's stored.

"Sometimes non-critical systems, such as an email notification platform, are not secured at the same level critical patient care platforms might be – but a lot of the data is the same sensitive data, and should be treated as such," Liwer said. "The situation is even more delicate when external contractors are involved, such as billing or marketing companies that take possession of patient data in order to perform their duties. Especially in these cases, companies must verify that wherever patient data is stored, on premises, off premises, or within third-party platforms, the same strict data protection protocols are followed."

The healthcare sector suffered about 295 breaches in the first half of 2023, according to the HHS Office for Civil Rights (OCR) data breach portal. More than 39 million individuals were implicated in healthcare data breaches in the first six months of the year.

Between 2009 and 2022, 5,150 healthcare data breaches of 500 or more records have been reported to the HHS OCR, HIPAA Journal reports. Those breaches have resulted in the exposure or impermissible disclosure of 382 million healthcare records. That equates to more than 1.2x the population of the United States.

In 2022, an average of 1.94 healthcare data breaches of 500 or more records were reported each day.