A significant data breach at HCA Healthcare, a major U.S. healthcare provider, has potentially exposed the personal information of approximately 11 million patients across 20 states. While sensitive data like Social Security numbers, financial details, and medical diagnoses are reportedly not involved, the compromised information includes patient addresses, phone numbers, email addresses, birth dates, appointment schedules, and the medical departments involved.
Evidence of the breach surfaced on an online forum frequented by cybercriminals, where a hacker attempted to sell the stolen data. A sample of the data, including nearly one million records from HCA's San Antonio division, was released online following what appears to be a failed extortion attempt targeting HCA. The hacker claimed to possess 27.7 million records and had set a deadline for payment.
HCA Healthcare acknowledged the breach, stating that the data was taken from an external storage location used for automating email formatting. The company hasn't disclosed when the breach occurred or when they became aware of it. HCA is offering credit monitoring and identity theft protection services to affected individuals and advises patients to be cautious of suspicious communications like calls, emails, and texts.
This incident ranks among the largest healthcare data breaches reported to the Department of Health and Human Services. The most significant breach to date impacted Anthem Inc. in 2015, affecting 79 million individuals. In that case, Chinese spies were indicted, although there's no indication that the stolen data was ever sold.
HCA Healthcare operates 180 hospitals in the U.S. and the U.K., along with 2,300 other facilities, including surgery centers, urgent care centers, and emergency rooms. They report treating 37 million patients annually. Given the U.S. government's classification of healthcare as critical infrastructure, healthcare providers are frequently targeted by cyberattacks.
