In this April 14, 2020 file photo, Sam Hazen, CEO of HCA Healthcare, speaks about the coronavirus in the Rose Garden of the White House, in Washington. HCA Healthcare’s second-quarter profit jumped past analyst expectations as patients returned to operating tables and hospital rooms after staying away last year at the start of the COVID-19 pandemic.
Alex Brandon | AP
Personal information for potentially tens of millions of HCA Healthcare patients has been stolen and is now available for sale on a data breach forum as of earlier this week.
HCA, one of the largest companies in the United States, first acknowledged the breach earlier today. In a release, it warned patients that critical personal information had been compromised, including their full name, city, and when and where they last saw a provider.
Shares of the healthcare giant closed up more than 1.4% in Monday trading and were unchanged after hours.
The provider claimed that no clinical information had been disclosed.
But DataBreaches.net reported Monday that the unnamed hacking group provided them with a sample set of data about a patient’s “low risk” lung cancer assessment, which would apparently undercut HCA’s assessment that no material or protected health information was breached.
The hack impacts patients in nearly two dozen states, including patients at dozens of facilities in Florida and Texas. The data sale was flagged on Twitter by Brett Callow, an analyst at New Zealand-based Emsisoft.
“This may be biggest healthcare-related breaches of the year, and one of the biggest of all time. That said, despite affecting millions of people, it may not be as harmful as other breaches as, based on HCA’s statement, it doesn’t seem to have impacted diagnoses or other medical information,” Callow told CNBC.
“The hacker has, however, claimed to have ’emails with health diagnosis that correspond to a clientID,'” Callow noted.
Patient data breaches are not uncommon, but they can vary in scope and impact. HCA’s breach did not apparently include critical medical records, and the company said the breached data originated at an “external storage location exclusively used to automate the formatting of email messages.”
