HCA Healthcare on Monday reported a data security incident that may have compromised personal information of approximately 11 million patients.
The Nashville, Tennessee-based system said the exposed data, which was shared online by an unauthorized party, included patient names, locations, contact information, birth dates, gender and appointment dates. The for-profit health system said data was stolen from an external storage location and contained information for email messages used to remind patients about appointments and available healthcare services at hundreds of facilities across 20 states.
Compromised data did not include clinical information, credit card or account numbers, passwords, driver's license numbers or Social Security numbers, HCA said, adding that the incident has not disrupted its operations and is not expected to materially impact the business.
HCA, which operates 180 hospitals and about 2,300 ambulatory sites across the country, did not say when the data was exposed online.
"While our investigation is ongoing, the company has not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident," HCA said in a news release. "The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations, and will offer credit monitoring and identity protection services, where appropriate."
The incident is one of the largest data breaches reported since tracking began in 2010, the largest being a breach at health insurance company Anthem in 2015 that affected nearly 79 million individuals. Late last year, Chicago-based CommonSpirit Health reported a breach that affected more than 600,000 patients and cost the system roughly $150 million, including lost revenue and remediation efforts.
