Skip to main content

HCA's Massive Data Breach Affects 11M Patients Nationwide

Analysis  |  By John Commins  
   July 10, 2023

The for-profit, megasystem has launched a webpage to keep patients informed.

HCA Healthcare Inc. announced Monday that it has discovered a data breach that could make vulnerable the personal information of many as 11 million patients at scores of care venues in 20 states.

In a media release, the Nashville-based for-profit health system says the information was "made available by an unknown and unauthorized party on an online forum."  

The exposed data includes patients’ names addresses, emails, phone numbers, dates of birth, gender, service dates, locations and next appointment dates.

No clinical or payment data was exposed, nor were passwords or drivers’ license or Social Security numbers.

"This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages," HCA says.

"There has been no disruption to the care and services HCA Healthcare provides to patients and communities. This incident has not caused any disruption to the day-to-day operations of HCA Healthcare. Based on the information known at this time, the company does not believe the incident will materially impact its business, operations or financial results."

HCA says it has reported the breach to law enforcement and has hired a third-party forensics investigator and "threat intelligence advisors." The investigation is ongoing but HCA says it has uncovered no evidence of "malicious activity" on its networks.

HCA shutdown user access to the storage location and will contact potentially affected patients and has launched a webpage to keep patients informed.

“This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages.”

John Commins is a content specialist and online news editor for HealthLeaders, a Simplify Compliance brand.


KEY TAKEAWAYS

HCA says the information was 'made available by an unknown and unauthorized party on an online forum.' 

Exposed data includes patients’ names addresses, emails, phone numbers, dates of birth, gender, service dates, locations and next appointment dates.

No clinical or payment data was exposed, nor were passwords or drivers' license or Social Security numbers.


Get the latest on healthcare leadership in your inbox.