Millions of HCA Healthcare customers have data stolen – here’s what you need to know

HCA Healthcare, one of the largest healthcare facilities in the United States, suffered a cyberattack that saw sensitive patient data belonging to millions of users stolen.

A report from CNBC claims the database is now being offered for sale, on a darknet forum, with the data apparently includes patient names, cities of residence, and the location of their last visit. The company confirmed being the victim of the attack but added that the hackers, whose identities are unknown at the moment, did not steal any clinical information.

Not everyone agrees with this assessment, though, as reporters from DataBreaches.net claim to have obtained a sample, which includes data about a patient’s “low risk lung cancer assessment.”

Tens of millions of victims

The number of victims is being counted in “tens of millions” and includes residents of almost two dozen states, including Florida, and Texas. 

Cybersecurity researcher from Emsisoft, Brett Callow, found the database and argues that this “may be one of the biggest healthcare-related breaches of the year, and one of the biggest of all time.” 

“That said, despite affecting millions of people, it may not be as harmful as other breaches as, based on HCA’s statement, it doesn’t seem to have impacted diagnoses or other medical information,” he Callow told CNBC. “The hacker has, however, claimed to have ‘emails with health diagnosis that correspond to a clientID’”.

HCA Healthcare is an American for-profit operator of healthcare facilities. The company was founded in 1968, and is based in Nashville, Tennessee.

It operates more than 180 hospitals across the country, as well as some 2,000 sites of care. These include surgery centers, freestanding emergency rooms, urgent care centers, and physician clinics in 21 states. It also has facilities in the UK.