Health Tech

1,000+ Facilities Impacted by HCA Data Breach

HCA Healthcare recently suffered a data breach affecting 1,038 hospitals and physician clinics across 20 states. The health system said hackers stole data from an external data storage location "exclusively used to automate the formatting of email messages." It also said that the incident has not caused any disruption to HCA's daily operations or the services it provides to patients.

data breach, cybersecurity, breach, security

HCA Healthcare, the largest for-profit health system in the country, disclosed for the first time Monday that a data breach affected 1,038 hospitals and physician clinics across 20 states. 

The cybersecurity event affected about 40% of HCA’s facilities —the Nashville-based health system operates 180 hospitals and approximately 2,300 ambulatory sites of care across 20 states and the United Kingdom.

The health system first discovered the incident on July 5. This likely means that the hackers took advantage of a long holiday weekend when many people take time off, Danny Jenkins, CEO of cybersecurity company ThreatLocker, told MedCity News.

“There is a large increase in ransomware attacks coming from vulnerable software or unknown open ports. Attackers are getting a foothold and then waiting for a long weekend to launch the attack. The long weekend often gives attackers more time to cause severe damage and extract as much data as possible without detection,” he declared.

In its statement, HCA said hackers stole data from “an external storage location exclusively used to automate the formatting of email messages.” During the data theft incident, the unauthorized party accessed patients’ data — including names, home addresses, email addresses, phone numbers, dates of birth and gender data. The hackers also accessed information about patients’ healthcare services, such as appointment dates and locations. 

The unauthorized party did not gain access to patients’ payment information, social security numbers, passwords or driver’s license data, nor did they access information having to do with patients’ medical conditions, diagnoses or treatments, according to HCA.

The health system said that the data breach has not caused any disruption to its daily operations or the services it provides to patients.

“Based on the information known at this time, the company does not believe the incident will materially impact its business, operations or financial results,” HCA noted in its statement.

When the health system learned of the breach, it disabled user access to the data storage location. HCA is still actively investigating the breach, but it has not yet found evidence of any malicious activity on its networks or systems.

Since the investigation is ongoing, the health system could not confirm the number of patients whose information was affected — though it believes hackers accessed about “27 million rows of data that may include information for approximately 11 million HCA Healthcare patients.”

HCA’s breach does not stand in isolation — at all. By Monday, the same day HCA informed the public of its data hack, healthcare entities covered by HIPAA had already reported more than 330 data breaches this year affecting 41.4 million people to HHS’ civil rights office. This number is quickly catching up with the total for all of last year, which was 52 million impacted patients.

Not surprisingly Jenkins believes the healthcare sector is in the middle of a tough year for data security. He recommended that healthcare organizations “ensure security staff are prepared, especially around holiday weekends.”

Photo: Rawpixel Ltd, Getty Images