On July 5, while some folks were cleaning up from fireworks and barbecues, DataBreaches broke the news that HCA Healthcare data was up for sale on a deep web forum if the company didn’t meet some unspecified demands. Since that time, DataBreaches has remained in some contact with the seller, who has occasionally provided additional details (although not as many as this site would have liked). Of note, the seller informed DataBreaches that they were also the hacker, that this was a hack, not a leak, and that they had contacted HCA Healthcare on July 4 and given them until July 10 to respond to demands.
HCA Healthcare did not reply to DataBreaches’ inquiries at the time, later telling a third party that the emails had been caught up in some DMARC-related filter.
Today, HCA Healthcare issued a press release that says, in relevant part, that they
recently discovered that a list of certain information with respect to some of its patients was made available by an unknown and unauthorized party on an online forum. The list includes:
- Patient name, city, state, and zip code;
- Patient email, telephone number, date of birth, gender; and
- Patient service date, location and next appointment date.
HCA Healthcare has confirmed that the list contains information used for email messages, such as reminders that patients may wish to schedule an appointment and education on healthcare programs and services.
Importantly, the list does not include:
- Clinical information, such as treatment, diagnosis, or condition;
- Payment information, such as credit card or account numbers;
- Sensitive information, such as passwords, driver’s license or social security numbers.
They also report that the incident appears to be a theft from an external storage location “exclusively used to automate the formatting of email messages.”
A website privacy update includes an FAQ that says, in part:
2. What data was accessed?
We do NOT believe that clinical information (such as treatment, diagnosis, or condition), payment information (such as credit card or account numbers), or other sensitive information (such as passwords, driver’s license or social security number) is involved.
They may not believe it, but even without that type of info, this is still protected health information and a reportable breach under HIPAA. But is their belief even justified? The hacker tells DataBreaches, “I have emails with health diagnosis that correspond to a clientID.” DataBreaches asked to see proof of that, but the hacker did not provide compelling proof, although they had already provided DataBreaches with a sample of code:
[code]10963605,42841158,Dynamic From Name, marketing@m arketing.hcahealthcare.com,6/20/2023 12:38:00 PM,6/23/2023 2:37:43 PM, Following up about your lung cancer assessment, DIV_CAP_Lung_Cancer_Low_Risk,318899,, Active,http://members. exacttarget. com/integration/EmailPreview. aspx?mid=fe6115707c62077b7511&jid=fe5e10727d60057c701c&sendtype=ffc71c&eid=fe5a16777260017d7211,True,[/code]
Did this link a patient name or ID to information about their lung cancer assessment? If so, isn’t that clinical information? (SEE UPDATE1, below post)
The FAQ also addresses the number potentially affected:
7. How many patients are affected by this?
The investigation is ongoing and we cannot confirm the number of individuals whose information was impacted. HCA Healthcare believes that the list contains approximately 27 million rows of data that may include information for approximately 11 million HCA Healthcare patients.
Notice they don’t claim that that’s the only data acquired. They only say that 27 million rows would be about 11 million patients.
It’s understandable that some media outlets would start headlining that 11 million patients were affected although the actual number could be significantly higher.
The hacker commented to DataBreaches, “They claim ’11 Million’ not like they would know, they lost all their data.” And while the hacker didn’t offer proof of the total number of patients whose data was acquired, the seller uploaded a second sample of data yesterday — 1 million records seemingly from the San Antonio Division, where each record was one patient.
HCA describes itself as
one of the nation’s leading providers of healthcare services comprising 180 hospitals and approximately 2,300 ambulatory sites of care, including surgery centers, freestanding ERs, urgent care centers, and physician clinics, in 20 states and the United Kingdom.
If there are 1 million patients’ records for just one division, and HCA Healthcare has locations in 20 states and the U.K., is it possible that the hacker really did acquire more than 11 million patients’ information — especially when the original listing indicated that more data would be included in the sale than the 27+ million rows?
It’s unfortunate that the hacker has refused to provide more proof of some claims so that patients, regulators, and lawyers could begin to understand more about the possible scope of this breach.
The data are now up for sale.
Update 1: A spokesperson for HCA contacted DataBreaches in response to the question raised in this article referencing “Client ID” and what might be viewed as clinical information. They explained that the code was a template that HCA was developing for mailings, and that in this code, “ClientID” does not refer to any patient or individual but rather to the hospital or entity HCA was developing the mailings for. So the hacker may have been correct in claiming they had Client ID, but that is not a patient ID. Thanks to HCA Healthcare for reaching out to clarify that.