HCA Healthcare has revealed it has suffered a major data breach affecting approximately 11 million patients.
The private healthcare operator said the information was posted on an online forum “by an unknown and unauthorized party,” which it discovered on July 5, 2023.
The roughly 27 million rows of data included personal information such as patient names, city, state, and zip code, email, telephone number, date of birth, gender, in addition to patient service dates, location and next appointment dates.
Read more: ENISA: Ransomware Makes Up Over Half of Healthcare Cyber-Threats
HCA emphasized that there was no clinical information posted on the forum, such as treatment, diagnosis, or condition; payment information, such as credit card or account numbers; or sensitive information, such as passwords, driver’s license or social security number.
Additionally, there is no disruption to the day-to-day operations of HCA Healthcare.
The firm, which has 180 hospitals and over 2300 sites in 20 US states and in the UK, said any patient that has received services at HCA-affiliated hospitals or physician offices in the US could be affected by the data leak.
HCA patients are being advised to be vigilant in identifying social engineering scams through calls, emails or SMS texts.
The healthcare provider said that it has reported the incident to law enforcement and is investigating what happened with the help of third-party forensic and threat intelligence advisors. It added that it “has not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident.”
Supply Chain Attack
The breach appears to have been the result of a third-party compromise, with HCA revealing the data was stolen from an external storage location for an unnamed software system used to automate the formatting of email messages.
Steve Forbes, government cybersecurity expert at Nominet said that the initial details of the breach bear similarities to the compromise of business process outsourcing giant Capita’s systems, which handles NHS data.
He commented: “As well as their own cybersecurity posture, healthcare providers need to take a careful look at their supply chain and ensure that any provider that is handling their data has adequate measures in place to prevent a breach. All too often services are implemented with cybersecurity being a tick box on a procurement document as opposed to spending time gaining a thorough understanding of how the organization's data will be kept secure.”