Information from 11 million patients may have been taken in breach, HCA Healthcare says

(Gray News) - Hospital and clinic company HCA Healthcare reported Monday that it believes a breach has compromised the information of about 11 million patients.

The Nashville-based health care operator said it discovered the breach July 5, which affects patients at facilities in 20 states: Alaska, California, Colorado, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Louisiana, Missouri, Mississippi, Nevada, New Hampshire, North Carolina, South Carolina, Tennessee, Texas, Utah and Virginia.

The affected facilities are listed on the incident information page.

A list of patient information, including “patient name, city, state, and zip code; patient email, telephone number, date of birth, gender; and patient service date, location and next appointment date” was posted on an online forum by an unknown person, the company said.

The information seems to have been taken “from an external storage location exclusively used to automate the formatting of email messages,” HCA Healthcare said.

The company noted that the leaked information doesn’t appear to contain clinical information, payment information or other sensitive information such as Social Security numbers.

Patients who receive suspicious or potentially fraudulent communications, such as invoices or payment reminders, should 844-608-1803 to confirm the legitimacy of the message.

Law enforcement has been notified of the breach, the company said, and it has ed advisors to help in the investigation.

In response to the breach, HCA Healthcare said it has blocked access to the storage location that was suspected to have been compromised and is working to patients to provide and additional information. It said it plans to offer credit monitoring and identity protection services as necessary.

It has also created a dedicated web page to keep its patients informed.

The breach isn’t expected to disrupt the company’s day-to-day operations, HCA Healthcare said.