11M HCA Healthcare Patients Impacted by Data Breach

HCA Healthcare, operator of a massive hospital and healthcare services network in the US and UK that serves 35 million medical consumers per year, has announced that it was compromised, leading to the theft of personal data on more than 11 million of its patients.

News of the breach first broke on July 5, when reports emerged of stolen HCA Healthcare data being offered up for sale on a Dark Web hacker forum.

"Data is grouped by division into 17 files totaling to 27,700,000 rows. More data is included in the sale," the threat actors explained on the site, according to reports. "HCA Healthcare have until the 10th to meet the demands."

The post didn't include any specific ransom demands, a DataBreaches.net report added. On July 10, HCA Healthcare announced the cyberattack.

HCA Healthcare acknowledged that patient data, including names, contact information, dates of birth, appointment details, and more were stolen in the cyberattack. Compromised data did not include any financial information like medical diagnoses or treatments, credit card numbers, passwords, or social security numbers, HCA Healthcare added.

HCA said its investigations are ongoing, and there's no word on who the perpetrators are.

"This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages," HCA said in its announcement of the data breach. "There has been no disruption to the care and services HCA Healthcare provides to patients and communities."

Although Avishai Avivi, CISO at SafeBreach acknowledges the compromise is significant, he explained in a statement provided to Dark Reading, the fact that none of the leaked data included protected health information (PHI) is a positive outcome for HCA Healthcare.

"Even though the information elements that were included can be used by malicious actors to craft better phishing campaigns, the information is not much different than the paper phone books we used to get for free in the mail," Avivi explained. "It is actually a good indicator, considering the target — HCA, that the organization was practicing good cyber hygiene and was limiting the data elements that were shared externally."