Personal information for an estimated 11 million patients of HCA Healthcare has been stolen in a data breach and put on sale online, the company announced this week (10 July).
HCA, a leading healthcare provider and one of the largest companies in the US, told patients that their information had been compromised on Monday (11 July).
The stolen information included full names, birth dates, phone numbers and email addresses – as well as information on the patient’s last appointment.
Tennessee-based HCA says it is still investigating the breach and is not clear exactly how many patients have been compromised – but estimates 27 million rows of data pertaining to about 11 million patients have been accessed.
HCA claims that payment details, passwords and social security numbers have not been compromised.
The data breach originated at an “external storage location exclusively used to automate the formatting of email messages,” according to HCA.
How well do you really know your competitors?
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
Hospital operations have not been affected and the authorities are involved, HCA added.
“This latest attack highlights how the healthcare sector has rapidly become a goldmine for threat actors,” Andrew Whaley, senior technical director at Norwegian cybersecurity firm Promon, told Verdict.
“Out of all the targetable industries, healthcare organisations are the most likely to pay a ransom following a breach,” he added.
What needs to be done to prevent further HCA data breaches?
“[The breach highlights] the vulnerability of sensitive patient data and the potential consequences of inadequate protection,” Shadabi said.
Adding: “To bolster cybersecurity in healthcare, the industry must prioritize the adoption of data-centric security measures, such as tokenization and format-preserving encryption.”
Shadabi said that by embracing the aforementioned data-centric security measures “the healthcare industry can significantly mitigate the impact of data breaches.”
Whaley said the fact that bad actors were able to obtain vast amounts of data from an external source is “extremely concerning”.
“Obviously, healthcare organisations cannot protect themselves against all cyberthreats, but if the sector is to improve its defences it needs to severely up its game,” Whaley told Verdict.
Breaches are becoming a common occurrence
The breach reportedly affected up to 90 organisations consisting of personal data such as full names and email addresses.
The Information Commissioner’s Office (ICO) said in a statement that a “second data breach emerged in May when it was reported that the firm had left benefits data files in publicly accessible storage, prompting several councils to say they thought their data had been compromised.”