Personal information for an estimated 11 million patients of HCA Healthcare has been stolen in a data breach and put on sale online, the company announced this week (10 July). 

HCA, a leading healthcare provider and one of the largest companies in the US, told patients that their information had been compromised on Monday (11 July).

The stolen information included full names, birth dates, phone numbers and email addresses – as well as information on the patient’s last appointment. 

Tennessee-based HCA says it is still investigating the breach and is not clear exactly how many patients have been compromised – but estimates 27 million rows of data pertaining to about 11 million patients have been accessed. 

HCA claims that payment details, passwords and social security numbers have not been compromised. 

The data breach originated at an “external storage location exclusively used to automate the formatting of email messages,” according to HCA. 

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Hospital operations have not been affected and the authorities are involved, HCA added. 

“This latest attack highlights how the healthcare sector has rapidly become a goldmine for threat actors,” Andrew Whaley, senior technical director at Norwegian cybersecurity firm Promon, told Verdict.

“Out of all the targetable industries, healthcare organisations are the most likely to pay a ransom following a breach,” he added.

What needs to be done to prevent further HCA data breaches?

Erfan Shadabi, cybersecurity expert at data security platform Comforte AG, told Verdict that this could “potentially be one of the largest health breaches to date”.

“[The breach highlights] the vulnerability of sensitive patient data and the potential consequences of inadequate protection,” Shadabi said. 

Adding: “To bolster cybersecurity in healthcare, the industry must prioritize the adoption of data-centric security measures, such as tokenization and format-preserving encryption.”

Shadabi said that by embracing the aforementioned data-centric security measures “the healthcare industry can significantly mitigate the impact of data breaches.”

Whaley said the fact that bad actors were able to obtain vast amounts of data from an external source is “extremely concerning”.

“Obviously, healthcare organisations cannot protect themselves against all cyberthreats, but if the sector is to improve its defences it needs to severely up its game,” Whaley told Verdict.

Breaches are becoming a common occurrence

The HCA data breach comes after Capita, the largest UK outsourcing services company, was hit by another data breach in May following a cyberattack in March.

The breach reportedly affected up to 90 organisations consisting of personal data such as full names and email addresses.

The Information Commissioner’s Office (ICO) said in a statement that a “second data breach emerged in May when it was reported that the firm had left benefits data files in publicly accessible storage, prompting several councils to say they thought their data had been compromised.”