Data on roughly 11 million HCA Healthcare patients in 20 states, including Florida, was stolen and recently posted on an online forum, the hospital chain reported on Sunday.
According to the company, an unauthorized party gained access to 27 million rows of data stored at an external location that is used to automate company email messages. The compromised data included patient names, cities, states, ZIP codes, dates of birth, telephone numbers and email addresses, according to the company’s statement.
HCA officials stressed that the breach did not include more sensitive information like credit card or account numbers, passwords, driver’s license or Social Security numbers. Nor did it include sensitive medical information such as diagnoses, although it does include dates and locations of appointments. The release does not provide information on what forum the data was posted.
The for-profit hospital chain, which operates 180 hospitals and approximately 2,300 other health facilities, said it has reported the incident to law enforcement and hired third-party forensic and threat intelligence advisers.
“While our investigation is ongoing, the company has not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident,” the company said in a news release.
HCA plans to contact any impacted patients to offer additional information and support and will offer credit monitoring and identity protection services where appropriate. It recommends that patients remain vigilant in identifying calls, emails or text messages that appear to be spam or fraudulent. It also emphasized that patients should not open links or attachments sent from untrusted sources.
Patients who are unsure about whether a message is legitimate should call HCA at 844-608-1803.