A hacker has stolen the patient info records of at least 11 million individuals in a massive HCA Healthcare data breach and leaked samples on an underground hacking forum.
HCA discovered the breach on July 5 when a hacker claiming to have obtained approximately 27 million rows of data attempted to extort the company before dumping one million records online.
With more than 180 hospitals and 2,300 service locations across 20 states in the United States and the United Kingdom, HCA records over 35 million patient encounters annually, according to its website.
Potentially sensitive patient info leaked in HCA Healthcare data breach
HCA Healthcare attributed the data breach to external storage used for marketing automation.
“This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages,” HCA explained.
HCA disabled user access to the compromised storage location, initiated immediate containment measures, and will notify impacted patients. The provider also reported the healthcare data breach to relevant law enforcement authorities and hired third-party cyber forensic and threat intelligence experts to assess the situation.
The leaked data include the patient’s name, city, state, and zip code, email, telephone number, date of birth, gender, Patient service date, location, and next appointment date.
However, the data breach did not expose protected patient info, including patients’ treatment or diagnosis, payment information such as credit card and bank account numbers, and sensitive info such as account passwords, driver’s license numbers, or Social Security numbers.
“While the number of records impacted by this apparent breach is significant, it is important to note that no Protected Health Information (PHI) appears to be involved,” noted Avishai Avivi, CISO at SafeBreach. “Even though the information elements that were included can be used by malicious actors to craft better phishing campaigns, the information is not much different than the paper phone books we used to get for free in the mail,”
The threat actor claims the stolen patient info stored in 17 files was created between 2021 and 2023 and contains sensitive patient info, including diagnosis with a matching client ID.
“They claim ‘11 Million’ not like they would know, they lost all their data,” the hacker added, suggesting that the healthcare data breach impacted more patients than HCA anticipated.
Nevertheless, the healthcare data breach did not disrupt healthcare operations, and the provider has not observed any malicious activity on the network. HCA has not disclosed how the threat actor accessed the leaked patient info.
“It appears that no ransomware was deployed in this breach, or that it may have been contained, as HCA’s operations do not appear to have been affected, so this attack seems to be driven purely for financial gain,” noted Darren James, senior product manager at Specops Software.
Meanwhile, HCA advised customers to confirm before paying by calling the health facility to avoid falling prey to scammers. Additionally, the health care provider will offer credit monitoring and identity theft protection services “where appropriate.”
HCA Healthcare has yet to disclose the amount the hacker demanded in exchange for the stolen patient info.
“Wherever patient data is stored, companies should adhere to the strictest security protocols,” said Dror Liwer, co-founder of Coro. “Sometimes non-critical systems, such as an email notification platform, are not secured at the same level critical patient care platforms might be – but a lot of the data is the same sensitive data and should be treated as such.”
Another massive healthcare data breach
Although the number of impacted patients is arguably contested, the HCA healthcare data breach is one of the largest, even in the best-case scenario.
“This incident could potentially be one of the largest health breaches to date, highlighting the vulnerability of sensitive patient data and the potential consequences of inadequate protection,” noted Erfan Shadabi, a cybersecurity expert with comforte AG.
The HCA leak ranks third behind the 2015 Anthem Inc. healthcare data breach that impacted over 78 million patients and the 2019 American Medical Collection Agency hack that leaked the patient info of 26 million individuals.
Other notable healthcare data breaches include the 2015 Premera Blue Cross hack (11 million), the 2015 Excellus Health Plan, Inc. breach (10 million), the 2023 Managed Care of North America (MCNA Dental) ransomware attack (8.9 million), and the 2023 PharMerica ransomware attack that leaked patient info of 5.8 million patients.
“This latest attack highlights how the healthcare sector has rapidly become a goldmine for threat actors,” said Andrew Whaley, Senior Technical Director at Promon. “Out of all the targetable industries, healthcare organizations are the most likely to pay a ransom following a breach.”
Whaley advised organizations to limit access to user data, perform end-to-end encryption, implement external key management, and secure endpoints to prevent similar attacks.
Similarly, Shadabi encouraged the healthcare industry to adopt “data-centric security measures, such as tokenization and format-preserving encryption.
Organizations should also enforce NIST and HIPAA-compliant password policies and implement 2FA/MFA, according to Specops product manager Darren Jones.