Sam Hazen, CEO of HCA Healthcare, speaks about Covid-19 in the Rose Garden of the White House in Washington, D.C., April 14, 2020.
Alex Brandon | AP
Personal information for potentially tens of millions of HCA Healthcare patients has been stolen and is now available for sale on a data breach forum as of earlier this week.
HCA, one of the largest companies in the U.S., first acknowledged the breach earlier today. In a release, it warned patients that critical personal information had been compromised, including their full name, city and when and where they last saw a provider.
Shares of the health-care giant closed up more than 1.4% in Monday trading and were unchanged after hours.
The provider claimed no clinical information had been disclosed.
DataBreaches.net reported Monday that the unnamed hacking group provided them with a sample set of data about a patient’s “low risk” lung cancer assessment, which would have apparently undercut HCA’s assessment that no material or protected health information was breached.
But after publication, an HCA spokesperson told CNBC that the sample data set was “marketing campaign” data and was not an individual patient’s after-visit assessment.
The hack affects patients in nearly two dozen states, including patients at dozens of facilities in Florida and Texas. The data sale was flagged on Twitter by Brett Callow, an analyst at New Zealand-based Emsisoft.
“This may be one of the biggest health care-related breaches of the year and one of the biggest of all time. That said, despite affecting millions of people, it may not be as harmful as other breaches as, based on HCA’s statement, it doesn’t seem to have impacted diagnoses or other medical information,” Callow told CNBC.
“The hacker has, however, claimed to have ’emails with health diagnosis that correspond to a clientID,'” Callow noted.
Patient data breaches are not uncommon, but they can vary in scope and effect. HCA’s breach did not apparently include critical medical records, and the company said the breached data originated at an “external storage location exclusively used to automate the formatting of email messages.”