HCA Healthcare, one of the largest health companies in the USA, announced on July 10 that it was the target of a huge data breach.
The cyber incident impacted about 1,038 hospitals and physician clinics across 20 states. All in all, 11 million patients in 20 states, including California, Florida, Georgia, and Texas, had their personal data stolen. The incident is one of the largest healthcare breaches in history.
The company discovered the data breach on July 5, 2023. Until now, it seems that the hackers managed to exfiltrate:
- Full names, date of birth, and gender,
- Data regarding the city, state, and zip code,
- Contact data, like emails and telephone numbers,
- Patients` service date, location, and next appointment date.
The threat actor claimed to have 27.7 million records and has already released for sale, on a dark forum, nearly 1 million records. Initially, the hacker tried to obtain ransom from HCA Healthcare. Since the company did not respond to blackmail, the malicious actor put the full database for sale. He claims that the stolen records were created between 2021 and 2023.
Threat actors can use the leaked data for launching phishing attacks and social engineering. However, HCA Healthcare claims the stolen data does not include information about conditions, diagnosis, credit card and bank account numbers, passwords, or other extremely sensitive details.
The company has announced law enforcement and the investigation is now ongoing. In addition, the organization started to enforce additional security and data protection measures.
To prevent and mitigate data breaches and data losses, it is recommended to have a defense in-depth strategy in place, and cyber hygiene is strictly followed.