A major hack of HCA Healthcare has resulted in a massive data breach that could impact at least 11 million of its patients.
According to HCA Healthcare, the organization “recently discovered that a list of certain information with respect to some of its patients was made available by an unknown and unauthorized party on an online forum.”
HCA Healthcare warned patients that the hacker accessed information such as the name, location, email, date of birth, gender, telephone number, previous patient service dates, and upcoming appointment dates of HCA Healthcare patients.
HCA Healthcare also revealed that the data breach included a list of information that is used for the organization’s email messages, such as reminders for patients to schedule future appointments.
According to HCA Healthcare, the information stolen by the unidentified hacker does not include the payment information, sensitive information, or clinical information of its patients.
Although HCA Healthcare informed patients that sensitive information was not included in the data breach, DataBreaches reported that the hacker shared a sample code which read in part, “Following up about your lung cancer assessment.”
While the code has not yet been confirmed, CBS News indicated that if the code is validated, it would suggest that the hacker could have obtained clinical information regarding HCA Healthcare patients. Additionally, the hacker told DataBreaches, “I have emails with health diagnosis that correspond to a clientID.”
In a public statement, HCA Healthcare said the data breach “appears to be a theft from an external storage location exclusively used to automate the formatting of email messages.”
The company noted that the data breach did not cause any “disruption” to the services provided by HCA Healthcare or to the daily operations of the organization. “Based on the information known at this time, the company does not believe the incident will materially impact its business, operations or financial results,” HCA Healthcare stated.”
An investigation into the security breach is currently ongoing; however, HCA Healthcare claimed that the company has “not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident.”
HCA Healthcare announced that the company intends to contact any patients that are impacted by the data breach and will “offer credit monitoring and identity protection services, where appropriate.”
Brett Callow, an analyst at Emsisoft, told CNBC that the recent hack could be “one of the biggest health care-related breaches of the year” and perhaps “one of the biggest” health care security breaches “of all time.”