On July 5, while some folks were cleaning up from fireworks and barbecues, DataBreaches broke the news that HCA Healthcare data was up for sale on a deep web forum if the company didn’t meet some unspecified demands. Since that time, DataBreaches has remained in some contact with the seller, who has occasionally provided additional details (although not as many as this site would have liked). Of note, the seller informed DataBreaches that they were also the hacker, that this was a hack, not a leak, and that they had contacted HCA Healthcare on July 4 and given them until July 10 to respond to demands.
HCA Healthcare did not reply to DataBreaches’ inquiries at the time, later telling a third party that the emails had been caught up in some DMARC-related filter.
Today, HCA Healthcare issued a press release that says, in relevant part, that they
recently discovered that a list of certain information with respect to some of its patients was made available by an unknown and unauthorized party on an online forum. The list includes:
- Patient name, city, state, and zip code;
- Patient email, telephone number, date of birth, gender; and
- Patient service date, location and next appointment date.
HCA Healthcare has confirmed that the list contains information used for email messages, such as reminders that patients may wish to schedule an appointment and education on healthcare programs and services.
Importantly, the list does not include:
- Clinical information, such as treatment, diagnosis, or condition;
- Payment information, such as credit card or account numbers;
- Sensitive information, such as passwords, driver’s license or social security numbers.
They also report that the incident appears to be a theft from an external storage location “exclusively used to automate the formatting of email messages.”
A website privacy update includes an FAQ that says, in part:
2. What data was accessed?
We do NOT believe that clinical information (such as treatment, diagnosis, or condition), payment information (such as credit card or account numbers), or other sensitive information (such as passwords, driver’s license or social security number) is involved.
They may not believe it, but even without that type of info, this is still protected health information and a reportable breach under HIPAA. But is their belief even justified? The hacker tells DataBreaches, “I have emails with health diagnosis that correspond to a clientID.” DataBreaches asked to see proof of that, but the hacker did not provide compelling proof, although they had already provided DataBreaches with a sample of code:
[code]10963605,42841158,Dynamic From Name, marketing@m arketing.hcahealthcare.com,6/20/2023 12:38:00 PM,6/23/2023 2:37:43 PM, Following up about your lung cancer assessment, DIV_CAP_Lung_Cancer_Low_Risk,318899,, Active,http://members. exacttarget. com/integration/EmailPreview. aspx?mid=fe6115707c62077b7511&jid=fe5e10727d60057c701c&sendtype=ffc71c&eid=fe5a16777260017d7211,True,[/code]
Did this link a patient name or ID to information about their lung cancer assessment? If so, isn’t that clinical information? (SEE UPDATE1, below post)
The FAQ also addresses the number potentially affected:
7. How many patients are affected by this?
The investigation is ongoing and we cannot confirm the number of individuals whose information was impacted. HCA Healthcare believes that the list contains approximately 27 million rows of data that may include information for approximately 11 million HCA Healthcare patients.
Notice they don’t claim that that’s the only data acquired. They only say that 27 million rows would be about 11 million patients.
It’s understandable that some media outlets would start headlining that 11 million patients were affected although the actual number could be significantly higher.
The hacker commented to DataBreaches, “They claim ’11 Million’ not like they would know, they lost all their data.” And while the hacker didn’t offer proof of the total number of patients whose data was acquired, the seller uploaded a second sample of data yesterday — 1 million records seemingly from the San Antonio Division, where each record was one patient.
HCA describes itself as
one of the nation’s leading providers of healthcare services comprising 180 hospitals and approximately 2,300 ambulatory sites of care, including surgery centers, freestanding ERs, urgent care centers, and physician clinics, in 20 states and the United Kingdom.
If there are 1 million patients’ records for just one division, and HCA Healthcare has locations in 20 states and the U.K., is it possible that the hacker really did acquire more than 11 million patients’ information — especially when the original listing indicated that more data would be included in the sale than the 27+ million rows?
It’s unfortunate that the hacker has refused to provide more proof of some claims so that patients, regulators, and lawyers could begin to understand more about the possible scope of this breach.
The data are now up for sale.
Update 1: A spokesperson for HCA contacted DataBreaches in response to the question raised in this article referencing “Client ID” and what might be viewed as clinical information. They explained that the code was a template that HCA was developing for mailings, and that in this code, “ClientID” does not refer to any patient or individual but rather to the hospital or entity HCA was developing the mailings for. So the hacker may have been correct in claiming they had Client ID, but that is not a patient ID. Thanks to HCA Healthcare for reaching out to clarify that.
I am extremely concerned about this hack of information as my husband a handicapped military Veteran passed less than 2 yrs ago, and I am also a disabled Senior.
I’m sorry for your loss. I think some media outlets are hyping this breach a bit. You may find yourself getting more spam and attempts to get your identity information, so be cautious that way, but if you’re really concerned about identity theft and fraud, you might want to think about putting a security freeze on your credit reports. Anytime someone tries to pull your credit report to open up a new account in your name, that would be blocked unless you authorize it. It may sound intimidating, but it is not hard to do. See the government’s directions/help guide here: https://www.usa.gov/credit-freeze
cyberattacks, reading about HCA Healthcare’s statement regarding a hacker putting data up for sale on the deep web is deeply concerning. It highlights the growing threat of cybercrime and the vulnerability of our personal information in the digital age.
Having had my own data compromised in the past, I understand the feelings of anxiety and frustration that come with such incidents. Data breaches not only expose our sensitive information but also erode our trust in organizations tasked with safeguarding our data. It is disheartening to see yet another company falling victim to hackers, potentially putting thousands of individuals at risk of identity theft and other cybercrimes.
This incident serves as a stark reminder of the urgent need for robust cybersecurity measures and proactive efforts to protect sensitive data. Companies must invest in advanced security systems, encryption protocols, and employee training to mitigate the risks posed by cybercriminals. Additionally, transparency and timely communication with affected individuals are essential in building trust and allowing individuals to take necessary precautions to protect themselves.
As a society, we must also prioritize cybersecurity awareness and education. Individuals should remain vigilant, regularly monitor their accounts, and take steps to strengthen their online security. It is crucial to stay informed about data breaches, understand the potential impact, and take appropriate action to mitigate any potential harm.
Let this incident serve as a wake-up call for both organizations and individuals. Together, we must work towards a safer digital landscape, where our personal information is protected, and data breaches become a thing of the past. [Link to SSA-office[dot]com removed by moderator].