Nashville-based HCA Healthcare on Monday alerted its patients that some of their information was "made available by an unknown and unauthorized party on an online forum" in a breach that may have affected 11 million people.

WHY IT MATTERS
According to the for-profit health system, with 180 hospitals and 2,300 ambulatory clinics across 20 U.S. states and the United Kingdom, the data security incident involved data such as patient name and address information (city, state, ZIP code), as well as emails, telephone numbers, dates of birth and gender. Additionally, some of the data posted included medical appointment dates and locations, according to HCA.

But the health system said the breached data does not include clinical information (information on treatment, diagnosis or condition), payment information (credit card or account numbers) or other sensitive information, such as passwords, driver’s license or social security numbers.

"This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages," said HCA officials. "There has been no disruption to the care and services HCA Healthcare provides to patients and communities. This incident has not caused any disruption to the day-to-day operations of HCA Healthcare.

"Based on the information known at this time, the company does not believe the incident will materially impact its business, operations or financial results," the health system added.

HCA reported the security event to law enforcement, it says, and has retained third-party forensic and threat intelligence advisors.

THE LARGER TREND
The 11 million HCA patients reportedly impacted by this breach would make it one of the biggest in recent years. As healthcare data breaches have become more commonplace, the past several months have seen IT vendors and health plans sued for their own breaches. Meanwhile, healthcare chief information security officers are facing their own challenges with budgetary pressures and burnout.

HCA Healthcare's VP of data services and information recently spoke with HIMSS TV about how the health system is prioritizing its digital transformation efforts.

ON THE RECORD
"While our investigation is ongoing, the company has not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident," officials noted in the statement.

"The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations, and will offer credit monitoring and identity protection services, where appropriate."

Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.