Hackers Steal Data of Over 11 Million HCA Healthcare Patients, Putting Them on Sale

In one of the largest healthcare-related data breaches of all time, the personal information of more than 11 million HCA Healthcare patients has potentially been compromised.

The data breach affects patients spread across almost two dozen states. The stolen data have been put on sale on a data breach platform.

Acknowledging the breach, HCA warned its patients that their critical personal information had been compromised, including their full name and city, as well as when and where they saw a provider the last time.

According to the healthcare giant, the breach originated at an external location that was used to automate the formatting of emails.

Hackers Might Have Access to Patients' ClPersonal inical Information

HCA Healthcare assured that no critical health information had been compromised in the breach. However, DataBreaches.net reported on Monday that they had been provided with a sample data set about a patient's lung cancer assessment by an unnamed hacking group.

This seems to undermine the healthcare provider's assessment that no protected health information or material had been disclosed.

Established by the family of former Senate Republican Majority Leader, Bill Frist, the Tennessee-based company runs over 180 hospitals and 2,300 healthcare sites across the country.

While healthcare data breaches aren't exactly uncommon, their scope and effect may vary. Apparently, HCA's data breach did not compromise health records - the clinical information obtained by the hackers fell into their hands through compromised emails.

HCA Healthcare said in a statement that they discovered the breach recently and that the compromised data includes information used for emails, such as education on healthcare programs and services and reminders for the patients to schedule appointments.

Upon the detection of the breach, user access to the storage was disabled.

While the company didn't confirm the number of patients whose data was compromised in the breach, they did announce that the list contains around 27 million rows of data that may include information for approximately 11 million HCA Healthcare patients."

HCA Healthcare also expressed that they were certain that more sensitive forms of data, such as clinical information and payment information, haven't been compromised.

However, according to cyber security experts, the full impact of a breach may not be evident right away.

Brett Callow, an analyst at New Zealand-based Emsisoft, flagged the sale of the stolen HCA data.

Despite affecting millions of people, it may not be as harmful as other breaches as, based on HCA's statement, it doesn't seem to have impacted diagnoses or other medical information.Brett Callow

However, he added that the hackers have claimed to have access to emails with health diagnoses that correspond with client IDs.

What Comes Next?

Affected patients have been offered credit monitoring by the healthcare giant. HCA also urged them to contact a provided phone number in case they receive potentially fraudulent invoices, which include any stolen data.

The healthcare provider has roped in an external threat intelligence provider and forensic investigator to further investigate the breach.

If the 11 million figure is accurate, this would mark the largest ever healthcare breach to date, surpassing the ransomware attack in 2022 that affected 4.11 million patients.

As of now, there's no malicious activity that might indicate a compromise of the company's systems or networks, the company said. However, it remains to be seen if there's more to the data breach and if any other sensitive information has been compromised.

The post Hackers Steal Data of Over 11 Million HCA Healthcare Patients, Putting Them on Sale appeared first on The Tech Report.