HCA Healthcare on Monday said it was the target of a major data breach, with about 11 million patients and 1,400 facilities in 20 states, including Florida.
Some patient information was made available for sale by an “unknown and unauthorized party” on an online forum. That included patient name, city, state, ZIP code, phone number, birth date, gender, service date, location and appointment date.
The list did not include patient clinical information, credit card or account numbers, passwords, driver’s licenses or social security numbers, HCA said.
“While our investigation is ongoing, the company has not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident,” the statement said.
However, a file dumped online by the hacker on Monday following what appeared to be a failed attempt to extort HCA includes nearly 1 million records from the company’s San Antonio division.
Also, CNBC reported that the hackers provided DataBreaches.net with a sample set of data about a patient’s “low risk” lung cancer assessment.
HCA Healthcare is the parent company of HCA Florida, which runs more than 100 hospitals and health clinics in Florida that were impacted by the data breach.
The company said the "serious data breach" apparently occurred at external storage location used to automate the formatting of email messages.
HCA said the stolen list contains information used for email messages, “such as reminders that patients may wish to schedule an appointment” and education on health care programs and services.
HCA did not say when the hack occurred but that it reported the incident to law enforcement and retained third-party “forensic and threat intelligence advisors.”
The company said it would offer credit monitoring and identity theft protection “where appropriate.” It cautioned that patients should be wary of phone calls, emails and text messages.
If 11 million patients are affected, the breach would rank in the top five as reported by health care institutions to the Department of Health and Human Services Office of Civil Rights. In the worst such hack, affecting the medical insurer Anthem Inc. in 2015, 79 million people. Chinese spies were indicted in that case and there no evidence the stolen data was ever put up for sale.
Nashville-based HCA operates 180 hospitals in the U.S. and Britain, In addition, it runs 2,300 ambulatory sites including surgery and urgent care centers and free-standing emergency rooms. It reports treating 37 million patients annually.
Information from the Associated Press was used in this report.