HCA Healthcare disclosed a data breach impacting an estimated 11 million patients who received care at one of its hospitals and clinics after a threat actor leaked samples of the stolen data on a hacking forum.
HCA Healthcare is one of America’s largest healthcare facility owners and operators, with 182 hospitals and 2,200 care centers across 21 U.S. states and the United Kingdom.
As first reported by DataBreaches.net, on July 5th, 2023, a threat actor began selling data allegedly belonging to HCA Healthcare on a forum used to sell and leak stolen data. This forum post includes samples of the stolen database, which they claim consists of 17 files and 27.7 million database records.
The threat actor claims that the stolen data consists of patient records created between 2021 and 2023.
The threat actor initially did not offer the database for sale but instead used the post to blackmail HCA Healthcare, giving them until July 10th to” “meet the demands.” This is likely related to financial demands, although it wasn’t explicitly mentioned.
However, after not receiving a response from HCA, the hacker began selling the full database, with other threat actors expressing interest in purchasing the data.
The organization confirmed yesterday that the data leaked on the hacking forum is authentic, with the stolen database impacting roughly 11,000,000 people.
“HCA Healthcare believes that the list contains approximately 27 million rows of data that may include information for approximately 11 million HCA Healthcare patients,” explains an HCA Healthcare data breach notification.
HCA says that the data was stolen from an “external storage location” used to format patient email messages.
“There has been no disruption to the care and services HCA Healthcare provides to patients and communities,” says HCA.
The stolen data includes the following:
- Full names
- City, state, and ZIP code
- Email address
- Telephone number
- Date of birth
- Gender
- Service date and location
- Next appointment date
The above data is valuable to threat actors conducting phishing attacks and scams, who could use it to launch convincing social engineering attacks against the exposed individuals.
HCA Healthcare does not believe that the stolen data contains detailed clinical information such as conditions, diagnosis, and treatment, payment information such as credit card and bank account numbers, or other sensitive information like passwords, social security numbers, and driver’s licenses.
HCA Healthcare has informed law enforcement agencies about the incident and continues investigating whether its networks and systems are free of malicious activity that might indicate threat actors still have access.
Also, access to the breached storage location has been disabled as an urgent containment measure, and the organization is working on implementing additional security and data protection measures.
For a complete list of impacted facilities across the country, check the bottom section of HCA Healthcare’s announcement.
Source: https://www.bleepingcomputer.com/news/security/hca-confirms-breach-after-hacker-steals-data-of-11-million-patients/
