HCA Healthcare, the largest for-profit health system in the country, disclosed for the first time Monday that a data breach affected 1,038 hospitals and physician clinics across 20 states.
The cybersecurity event affected about 40% of HCA’s facilities —the Nashville-based health system operates 180 hospitals and approximately 2,300 ambulatory sites of care across 20 states and the United Kingdom.
With the Rise of AI, What IP Disputes in Healthcare Are Likely to Emerge?
Munck Wilson Mandala Partner Greg Howison shared his perspective on some of the legal ramifications around AI, IP, connected devices and the data they generate, in response to emailed questions.
The health system first discovered the incident on July 5. This likely means that the hackers took advantage of a long holiday weekend when many people take time off, Danny Jenkins, CEO of cybersecurity company ThreatLocker, told MedCity News.
“There is a large increase in ransomware attacks coming from vulnerable software or unknown open ports. Attackers are getting a foothold and then waiting for a long weekend to launch the attack. The long weekend often gives attackers more time to cause severe damage and extract as much data as possible without detection,” he declared.
In its statement, HCA said hackers stole data from “an external storage location exclusively used to automate the formatting of email messages.” During the data theft incident, the unauthorized party accessed patients’ data — including names, home addresses, email addresses, phone numbers, dates of birth and gender data. The hackers also accessed information about patients’ healthcare services, such as appointment dates and locations.
The unauthorized party did not gain access to patients’ payment information, social security numbers, passwords or driver’s license data, nor did they access information having to do with patients’ medical conditions, diagnoses or treatments, according to HCA.
A Personalized Approach to Medication Nonadherence
At the Abarca Forward conference earlier this year, George Van Antwerp, managing director at Deloitte, discussed how social determinants of health and a personalized member experience can improve medication adherence and health outcomes.
The health system said that the data breach has not caused any disruption to its daily operations or the services it provides to patients.
“Based on the information known at this time, the company does not believe the incident will materially impact its business, operations or financial results,” HCA noted in its statement.
When the health system learned of the breach, it disabled user access to the data storage location. HCA is still actively investigating the breach, but it has not yet found evidence of any malicious activity on its networks or systems.
Since the investigation is ongoing, the health system could not confirm the number of patients whose information was affected — though it believes hackers accessed about “27 million rows of data that may include information for approximately 11 million HCA Healthcare patients.”
HCA’s breach does not stand in isolation — at all. By Monday, the same day HCA informed the public of its data hack, healthcare entities covered by HIPAA had already reported more than 330 data breaches this year affecting 41.4 million people to HHS’ civil rights office. This number is quickly catching up with the total for all of last year, which was 52 million impacted patients.
Not surprisingly Jenkins believes the healthcare sector is in the middle of a tough year for data security. He recommended that healthcare organizations “ensure security staff are prepared, especially around holiday weekends.”
Photo: Rawpixel Ltd, Getty Images
