HCA Healthcare has reported a breach in its cyber security where a list of information on millions of its patients was released online.
Nashville-based HCA Healthcare is one of the largest providers of healthcare services in the US with 180 hospitals and more than 2,300 sites across 20 states, as well as in the United Kingdom.
HCA Healthcare told Health & Protection the breach had not affected its UK-based patients.
“The systems of HCA Healthcare UK have not been affected and data of patients that have been cared for at HCA Healthcare UK facilities has not been impacted,” HCA Healthcare UK told Health & Protection.
But the same was not true for US-based patients.
The company believes that as many as 11 million patients may have been affected across 20 states. HCA Healthcare has confirmed that the list contains information used for email messages, such as reminders that patients may wish to schedule an appointment and education on healthcare programmes and services.
The information list released included patient names, addresses, emails, telephone numbers, dates of birth, gender, patient service date, location and their next appointment date, HCA Healthcare said.
Some private information not included
But other private information was not included on the list, HCA Healthcare said.
“We do not believe that clinical information (such as treatment, diagnosis, or condition), payment information (such as credit card or account numbers), or other sensitive information (such as passwords, driver’s license or social security number) is involved,”HCA Healthcare said.
Healthcare reported this event to law enforcement and retained third-party forensic and threat intelligence advisors. While our investigation is ongoing, the company has not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident,”HCA Healthcare said.
“We are working as quickly as possible to identify and contact the patients whose data was impacted by this data security incident. If you are one of those patients, we expect to mail you a notification letter, in the coming weeks, that will provide you with additional information, as well as offer complimentary credit monitoring and identify protection services,”it said.
The company said the incident appeared to relate to a theft from an external storage location exclusively used to automate the formatting of email messages.
No disruption to care and services
“There has been no disruption to the care and services HCA Healthcare provides to patients and communities,” HCA Healthcare said.
“It has not caused any disruption to the day-to-day operations of HCA Healthcare.
“Based on the information known at this time, the company does not believe the incident will materially impact its business, operations or financial results.”
HCA Healthcare released a comment from Achi Lewis, area vice president for EMEA at Absolute Software, who discussed the need for both cyber security and cyber resilience measures to be included in cyber strategies, as well as the danger of reputational damage.
Volume of cyber-attacks to remain high
“The volume of cyber-attacks will continue to remain high and each time, they act as a reminder that cyber security and cyber resiliency must remain a priority for organisations,” Lewis warned.
“Data plays a pivotal role in many businesses, and it is more important than ever that organisations re-evaluate their cyber posture to ensure they are on the front foot, including cyber protections to protect against attacks, as well as measures to ensure resiliency to respond to attacks and secure systems and devices.”
“Attacks can cost organisations huge reputational and financial loss and while implementing protection methods is a great first step, this is only part of the way there to effectively protect an organisation,” he said.
But the possibility of an attack is constant.
“Being vigilant that an attack could occur at any moment should be the approach all businesses take to effectively prepare, including new technologies such as self-healing tech that can lock devices if they become vulnerable, automatically update core systems, and ensure devices are back online as quickly as possible,” Lewis said.
“Attacks can cause havoc for businesses which can continue for weeks and even months meaning proper cyber protections should be high on the agenda for all businesses,” he added.