Boston: HCA Healthwhich operates 180 hospitals in the US and Britain, says the personal data of some 11 million patients in 20 states may have been stolen in a data breach.
Samples of the data, including addresses, phone numbers, emails and dates of birth, were posted on an online forum popular with cybercriminals by a hacker trying to sell them.
The Nashville, Tennessee-based provider said the stolen data was not believed to include Social Security numbers, payment information or clinical information such as diagnoses.
However, the data included information about scheduled appointments and the medical departments involved. A file downloaded online by the hacker on Monday after what appeared to be a failed extortion attempt HCA includes nearly 1 million records from the company’s San Antonio division.
If 11 million patients are affected, the violation would rank in the top five as reported by health care institutions to the Department of Health and Human Services, Office for Civil Rights. In the worst of those hacks, the health insurer Anthem Inc. affected 79 million people in 2015. Chinese spies were charged in that case and there is no evidence that the stolen data was put up for sale.
The hacker, who first posted a sample of stolen data online on July 5, was trying to sell the data and was apparently trying to extort money from HCA. They claimed to have 27.7 million registrations and set a deadline of Monday.
A company spokesperson did not immediately respond to an email and phone message asking if HCA received an extortion lawsuit.
In a statement posted on its website on Monday, HCA said the data was stolen from “an external storage location” used to “automate the formatting of email messages.” HCA did not say when the data was stolen or when it learned of the theft.
The company said it would offer credit monitoring and identity theft protection “where appropriate.” He warned that patients should be careful with phone calls, emails and text messages.
HCA listed facilities in 20 US states, from Alaska to Virginia, where people who received services could be affected.
In addition to hospitals, HCA Healthcare manages 2,300 outpatient sites including surgery and urgent care centers and freestanding emergency rooms. It reports treating 37 million patients annually.
Healthcare is classified by the US government as one of 16 critical infrastructure sectors, and healthcare providers are seen as prime targets for hackers.
