HCA sends notice to patients informing them of data breach
The information was obtained by an unauthorized party in late June in what appears to be a theft from an external storage location.
Photo: Joos Mind/Getty Images
Nashville-based HCA Healthcare has sent letters to certain patients affected by a data security incident that took place on or around July 5, and continues to mail out notification letters on a "rolling basis," according to states of residence.
A filing with the U.S. Department of Health and Human Services claims HCA discovered that a list of certain information pertaining to its patients was made available on an online platform by an unauthorized party.
The information was obtained by the unauthorized party in late June in what appears to be a theft from an external storage location exclusively used to automate the formatting of email messages, such as reminders that patients may wish to schedule an appointment and education on healthcare programs and services.
HCA said the incident did not cause disruptions to care or services.
WHAT'S THE IMPACT?
The exposed files contained the patient name, city, state, zip code, email, telephone number, date of birth, gender, service date, location and, in some instances, the date of their next appointment.
The exposed information did not include clinical information, such as treatment, diagnosis or condition; payment information, such as credit card or account numbers; or other sensitive information, such as passwords, government-issued ID numbers or social security numbers.
HCA said it disabled user access to the storage location as an immediate containment measure. It reported the event to law enforcement, retained third-party forensic and threat-intelligence advisors to investigate the incident, and also secured complimentary credit and identity protection services for affected individuals.
The company said patients are encouraged to be vigilant against identity theft and fraud by reviewing account statements, monitoring any available credit reports for unauthorized or suspicious activity, and taking care in response to any email, telephone or other contacts that ask for personal or sensitive information.
In addition to encouraging patients to remain vigilant in identifying calls, emails or SMS texts which appear to be spam or fraudulent, HCA is providing complimentary credit monitoring and identity protection services to affected individuals for two years via IDX. Information regarding these services and enrollment instructions are included in the notification letters.
THE LARGER TREND
A few weeks ago HCA CEO Sam Hazen said the breach has resulted in legal reprisals from patients.
"Not unexpectedly, we have been named as a defendant in multiple class action lawsuits," he said.
He added, "This incident has not caused any disruption to our day-to-day operations nor do we believe it will materially impact our business or financial results. HCA Healthcare believes the privacy of its patients is a vital part of its mission and remains committed to maintaining the security of their personal information."
Data published by the Ponemon Institute in July showed that, while data breaches affect all industries, healthcare suffers the largest financial hit.
This year, the average cost of a data breach reached an all-time high of $4.4 million. That's a 2.3% increase from 2022, and, taking the long-term view, the average cost has increased 15.3% from the 2020 report.
Since 2020, healthcare data breach costs specifically have increased 53.3%, representing a considerable rise in recent years. This is the 13th consecutive year the health industry reported it had the most expensive data breaches, averaging $10.9 million in cost.
A 2022 report from law firm BakerHostetler showed consumers are increasingly suing organizations over data breaches. Healthcare comprises 23% of lawsuits due to data breaches. The next highest is business and professional services, at 17%, followed by finance and insurance (15%), education (12%) and manufacturing (10%).
Of all industries, healthcare also logged the highest initial ransom demand from hackers and bad actors, at more than $8.3 million. The average ransom that was actually paid was far lower, at about $876,000, but that was still the highest average amount paid across all industries.
Twitter: @JELagasse
Email the writer: Jeff.Lagasse@himssmedia.com