The recent data breach at HCA Healthcare is one of the largest in the healthcare sector, involving the theft and sale of personal information of potentially 11 million patients.
What's happening
HCA Healthcare, one of the largest healthcare providers in the United States, has reported a significant data security incident. The company discovered that an unauthorized party made a list of patient information available on an online forum. The list includes patient names, contact information, service dates, locations, and appointment dates.
However, it does not appear to include clinical information, payment information, or sensitive information such as passwords, driver's license, or social security numbers.
Why it matters
This breach is one of the largest ever reported in healthcare, potentially affecting at least 11 million patients across 20 states, including California, Florida, Georgia, and Texas. The breach was first discovered on July 5. If the number of affected patients is confirmed, it would rank in the top five healthcare hacks reported to the Department of Health and Human Services Office of Civil Rights.
What they're saying
The data sale was initially flagged by Brett Callow, an analyst at New Zealand-based Emsisoft, who said, "This may be one of the biggest health care-related breaches of the year and one of the biggest of all time. That said, despite affecting millions of people, it may not be as harmful as other breaches as, based on HCA's statement, it doesn't seem to have impacted diagnoses or other medical information."
HCA said in a press release, "While our investigation is ongoing, the company has not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident. The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations, and will offer credit monitoring and identity protection services, where appropriate."
On a page dedicated to keeping patients informed, HCA states that the compromised system "was exclusively used to automate the formatting of email messages."
Between the lines
While HCA has stated that no clinical information was breached, this claim has been challenged. DataBreaches.net reported that the unnamed hacking group provided them with a sample set of data about a patient's "low risk" lung cancer assessment. This would have apparently undercut HCA's assessment that no material or protected health information was breached. However, an HCA spokesperson later clarified that the sample data set was "marketing campaign" data and was not an individual patient's after-visit assessment.
What to watch
HCA has disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support. They will also offer credit monitoring and identity protection services where appropriate. HCA is asking patients not to pay any invoices or billing requests without first calling the chain to verify that the message is legitimate.
The bottom line
HCA has provided a list of facilities whose data was included in the breach. Patients receiving services at any of those hospitals or offices may be affected. If receiving an invoice or payment reminder, contact HCA to confirm its authenticity.
Related: HIPAA Compliant Email: The Definitive Guide
Dean Levitt
