US-based healthcare company, HCA Healthcare, has suffered a data breach impacting 11 million patients.
The cyber attack was discovered on July 10, after the personal data of patients was posted online. In a statement regarding the breach, HCA Healthcare says the data appears to have been stolen from “an external storage location exclusively used to automate the formatting of email messages”.
As the data stolen during the cyber attack is used for email messages, for example reminders to patients to book appointments, the dataset includes personally identifying information. This information includes:
- Patient names, cities, states and zip codes.
- The telephone numbers, email addresses, gender and dates of birth of patients.
- The service dates, locations and the dates of upcoming appointments.
- After the unauthorized access and data theft was discovered, HCA Healthcare disabled access to the third-party storage location. The company also contacted all those impacted by the data breach.
The data stolen and posted online did not include any clinical information, payment information or sensitive information, e.g. social security numbers. HCA Healthcare assured its patients that the cyber attack had not impacted the company’s processes and does not believe it will “materially impact its business, operations or financial results”.
HCA Healthcare said that it had launched an investigation into the data breach and had reported it to the relevant authorities.
While the investigation in the data breach is ongoing, HCA Healthcare reported that during initial investigations the company had “not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident”.
Following the cyber attack and subsequent data breach, HCA Healthcare patients have filed no less than five class action lawsuits related to the cyber security incident. The lawsuits have been filed in Nashville, where HCA Healthcare is based, Florida, California and Texas.
The class action lawsuits allege that HCA Healthcare was negligent and failed to properly protect patients’ data.
In one of the cases, plaintiffs Gary Silvers and Richard Marous say that due to the data breach they now face “a lifetime risk of identity theft due to the nature of the information lost, and a diminishment in the value of their private data”. They allege that HCA Healthcare should have known the value the data had to cyber criminals and implemented better security measures.
Plaintiffs also allege that the data security guidelines followed by HCA Healthcare failed to comply with those set by the Federal Trade Commission or in the Health Insurance Portability and Accountability Act.