HCA Healthcare has disclosed a data security incident.
The Nashville-based healthcare provider, which has 180 hospitals and 2,300 ambulatory sites of care in 20 states and the United Kingdom, said in a Monday (July 10) press release that the incident involves information about patients that is used for email messages.
This information was made available by “an unknown and unauthorized party on an online forum,” HCA Healthcare said in the release. It includes patient contact information, date of birth, gender, and information about their appointments.
The list of information included in the data security incident does not include clinical information, payment information, or sensitive information like passwords, driver’s license or social security numbers, according to the press release.
“This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages,” HCA Healthcare said in the release. “There has been no disruption to the care and services HCA Healthcare provides to patients and communities.”
The company added in the release that the incident has not disrupted its day-to-day operations and — based on what is known at this time — is not expected to materially impact its business, operations or financial results.
It has also reported the incident to law enforcement and retained third-party advisors, according to the press release.
“While our investigation is ongoing, the company has not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident,” the company said in the release. “The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations, and will offer credit monitoring and identity protection services, where appropriate.”
In another recent news around data breaches, India’s Ministry of Health and Family Welfare said in June that it is investigating what it called baseless reports of a data breach of its COVID vaccine database.
Two months earlier, in April, the United States Consumer Financial Protection Bureau (CFPB) told lawmakers it suffered a data breach. A CFPB employee, who no longer works there, forwarded to a personal email account personal information on 256,000 consumers and confidential supervisory information on 45 financial institutions, the Wall Street Journal (WSJ) reported April 19.