Gorodenkoff - stock.adobe.com

HCA Healthcare Suffers Data Breach, 11M Patients Impacted

An unauthorized party stole a list of information used for email messages to patients and posted it on an online forum, HCA Healthcare stated in its data breach notice.

UPDATE 7/10/2023, 4:35 PM - This article was update to reflect the number of individuals impacted and to include commentary from a cybersecurity expert. 

HCA Healthcare confirmed a data breach that impacted approximately 11 million patients, resulting from data theft by an unauthorized party. HCA Healthcare is a leading healthcare organization comprised of 180 hospitals and 2,300 ambulatory sites of care in 20 states and the United Kingdom.

According to the breach notice, an unauthorized party obtained a list of information pertaining to patients and made it available on an online forum.

The list contained information used for email messages, such as appointment reminders and education about healthcare programs and services.The impacted list consists of 27 million rows of data.

“HCA Healthcare has confirmed that the list contains information used for email messages, such as reminders that patients may wish to schedule an appointment and education on healthcare programs and services,” the breach notice stated.

HCA Healthcare stated that the incident “appears to be a theft from an external storage location exclusively used to automate the formatting of email messages,” and the incident caused no disruptions to operations or care.

The list contained patient names, cities, states, zip codes, email addresses, phone numbers, gender, dates of birth, and appointment information. It is important to note that the list did not include clinical information or payment information.

The company said it immediately disabled user access to the storage location and retained third-party investigators. HCA Healthcare posted a list of facilities impacted by the breach, which can be found here

To Dror Liwer, co-founder of cybersecurity company Coro, this incident exemplifies the importance of employing strict security controls wherever patient data is stored.

“Sometimes non-critical systems, such as an email notification platform, are not secured at the same level critical patient care platforms might be – but a lot of the data is the same sensitive data, and should be treated as such," Liwer commented.

"The situation is even more delicate when external contractors are involved, such as billing or marketing companies that take possession of patient data in order to perform their duties. Especially in these cases, companies must verify that wherever patient data is stored, on premises, off premises, or within third-party platforms, the same strict data protection protocols are followed.”

Next Steps

Dig Deeper on Healthcare data breaches