© 2024 WGCU News
PBS and NPR for Southwest Florida
Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations

HCA Healthcare data breach may affect 11M patients in 20 states

FILE - In this April 14, 2020 file photo, Sam Hazen, CEO of HCA Healthcare, speaks about the coronavirus in the Rose Garden of the White House, in Washington.  HCA Healthcare’s second-quarter profit jumped past analyst expectations as patients returned to operating tables and hospital rooms after staying away last year at the start of the COVID-19 pandemic. The nation’s largest publicly traded hospital chain hiked its 2021 forecast on Tuesday, July 20, 2021 after a quarter in which it saw admissions at established locations climb nearly 27% when counting both in-patient and out-patient care.     (AP Photo/Alex Brandon, File)
Alex Brandon/AP
FILE - In this April 14, 2020 file photo, Sam Hazen, CEO of HCA Healthcare, speaks about the coronavirus in the Rose Garden of the White House, in Washington. HCA Healthcare’s second-quarter profit jumped past analyst expectations as patients returned to operating tables and hospital rooms after staying away last year at the start of the COVID-19 pandemic. The nation’s largest publicly traded hospital chain hiked its 2021 forecast on Tuesday, July 20, 2021 after a quarter in which it saw admissions at established locations climb nearly 27% when counting both in-patient and out-patient care. (AP Photo/Alex Brandon, File)

BOSTON — Medical giant HCA Healthcare, which operates 180 hospitals in the U.S. and Britain, says the personal data of about 11 million patients in 20 states may have been stolen in a data breach.

Samples of the data, including addresses, phone numbers, emails and birth dates, were posted to an online forum popular with cybercrooks by a hacker trying to sell them.

The Nashville, Tennessee-based provider said the stolen data was not believed to include Social Security numbers, payment information or clinical info such as diagnoses.

OTHER NEWS

Things to know about a landslide that has destroyed homes in Southern California

Trump can be held liable in writer’s defamation lawsuit after Justice Department reverses course

Georgia Democrat Mesha Mainor, at odds with her party, switches to Republicans

Senators call for Supreme Court to follow ethics code like other branches of government

However, the data did include information on scheduled appointments and medical departments involved. A file dumped online by the hacker on Monday following what appeared to be a failed attempt to extort HCA includes nearly 1 million records from the company’s San Antonio division.

If 11 million patients are affected, the breach would rank in the top five as reported by health care institutions to the Department of Health and Human Services Office of Civil Rights. In the worst such hack, affecting the medical insurer Anthem Inc. in 2015, 79 million people. Chinese spies were indicted in that case and there no evidence the stolen data was ever put up for sale.

The hacker, who first posted a sample of stolen data online on July 5, was trying to sell the data and was apparently attempting to extort HCA. They claimed to have 27.7 million records and set a Monday deadline.

A company spokesman did not immediately respond to an email and phone message asking if HCA received an extortion demand.

In a statement posted to its website on Monday, HCA said the data was stolen from “an external storage location” used to “automate the formatting of email messages.” HCA did not say when the data was stolen or when it learned of the theft.

The company said it would offer credit monitoring and identity theft protection “where appropriate.” It cautioned that patients should be wary of phone calls, emails and text messages.

HCA listed facilities in 20 U.S. states from Alaska to Virginia where people who received services might be affected.

In addition to hospitals, HCA Healthcare runs 2,300 ambulatory sites including surgery and urgent care centers and free-standing emergency rooms. It reports treating 37 million patients annually.

Health care is classified by the U.S. government as one of 16 critical infrastructure sectors, and health care providers are seen as prime targets for hackers.