The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

11.27 Million HCA Healthcare Patients Affected by Recent Cyberattack

Posted By on Jul 11, 2023

Nashville, TN-based HCA Healthcare, the largest health system in the United States with more than 180 hospitals and 2,300 healthcare sites, has announced that an unauthorized individual had obtained the protected health information of patients. The initial report from HCA Healthcare indicated more than 11 million records were involved. The breach has now been reported to the HHS’ Office for Civil Rights as affecting 11,270,000 individuals, which makes this the third-largest healthcare data breach to be reported by a HIPAA-regulated entity.

Largest Healthcare Data Breaches

Name of Covered Entity Year Covered Entity Type Individuals Affected Type of Breach
Anthem Inc. 2015 Health Plan 78,800,000 Hacking/IT Incident
American Medical Collection Agency 2019 Business Associate 26,059,725 Hacking/IT Incident
HCA Healthcare 2023 Healthcare Provider 11,000,000+ Hacking/IT Incident
Premera Blue Cross 2015 Health Plan 11,000,000 Hacking/IT Incident
Excellus Health Plan, Inc. 2015 Health Plan 9,358,891 Hacking/IT Incident

On July 10, 2023, HCA Healthcare announced that hackers had gained access to an external storage location that was used to automatically format emails such as patient appointment reminders and emails alerting patients about HCA Healthcare programs and services. While the investigation into the data breach has not yet concluded, the compromised data lists contained 27 million rows of data, which included the protected health information of approximately 11 million patients who received care at HCA hospitals and doctors’ offices in 20 U.S. states.

The information in the data lists included name, address (city, state, zip code), email address, phone number, date of birth, gender, date(s) of service, location of service(s), and next appointment date. No clinical information, financial information, or Social Security numbers are believed to have been compromised. The data related to individuals who received healthcare services in Alaska, California, Colorado, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Louisiana, Missouri, Mississippi, Nevada, New Hampshire, North Carolina, South Carolina, Tennessee, Texas, Utah, or Virginia. The full list of affected facilities has been published by HCA Healthcare here.

HCA Healthcare said the storage location was immediately disabled when the breach was discovered and an investigation was launched into the attack, with assistance provided by third-party cybersecurity and digital forensics experts. HCA Healthcare said the incident had no impact on patient care and that it is not expected to have any impact on its business, operations, or financial results. HCA Healthcare will issue notification letters when the affected individuals have been identified and contact information has been confirmed. Complimentary credit monitoring services are being offered to the affected individuals.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The individual behind the attack listed the data for sale on a dark net marketplace and gave HCA Healthcare until July 10, 2023, to meet its demands. HCA Healthcare’s announcement coincided with that data, but it is unclear whether the hacker’s demands were met, or what those demands were. HCA Healthcare confirmed in its initial breach notice that, “a list of certain information with respect to some of its patients was made available by an unknown and unauthorized party on an online forum,” and said the information was posted online on July 5, 2023. HCA Healthcare said it is unaware of any misuse of patient data at this time.

Since highly sensitive information does not appear to have been compromised, individuals affected may not face an immediate risk of identity theft or fraud; however, they could be subject to phishing attacks and email/telephone/SMS scams so should exercise caution, especially with email attachments, hyperlinks in emails and SMS messages, and phone calls where sensitive information is requested.

HCA Healthcare said it has “several robust security strategies, systems, and protocols in place to help protect data,” and has an ongoing education program for its colleagues, physicians, vendors, and others to maintain awareness of safe practices to help ensure compliance and the security of patient data.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist