HCA Healthcare, one of the largest companies in the United States, announced on Monday that hackers breached its system and stole the personal data of 11 million patients.
In its announcement, the company said the patient accounts were posted by an unknown and unauthorized party on an online forum.
The health care company’s dataset has approximately 27 million accounts, which include patients’ personal information and certain visit records, and HCA believes that some of it is now up for sale.
HCA said the data breach did not apparently include critical medical records and that the files were stolen from an “external storage location exclusively used to automate the formatting of email messages.”
The compromised information does not include clinical data such as treatment, diagnosis, or condition information; payment information; user passwords; driver’s licenses; or Social Security numbers, according to HCA.
However, the health care provider confirmed that patient names, email addresses, phone numbers, birth dates, and information about medical appointments were stolen.
Some experts say that the stolen data can still be used for fraud or identity theft.
Victims Across the Country
The HCA hack is affecting patients in nearly two dozen states, including those at dozens of facilities in Florida and Texas, CNBC reported.“HCA Healthcare reported this event to law enforcement and retained third-party forensic and threat intelligence advisors,” the company said regarding the hack.
“While our investigation is ongoing, the company has not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident.
“The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations, and will offer credit monitoring and identity protection services, where appropriate,” HCA explained.
The data sale on the online forum was flagged on Twitter by Brett Callow, an analyst at New Zealand-based Emsisoft, CNBC reported.
“This may be one of the biggest health care-related breaches of the year and one of the biggest of all time. That said, despite affecting millions of people, it may not be as harmful as other breaches as, based on HCA’s statement, it doesn’t seem to have impacted diagnoses or other medical information,” Callow told CNBC.
HCA claimed no clinical information had been disclosed, but Callow noted that “the hacker has, however, claimed to have ‘emails with health diagnosis that correspond to a clientID.'”
The Epoch Times reached out to HCA Healthcare for comment.