HCA Healthcare (HCA) confirmed on July 10 that a cyberattack caused a breach affecting at least 11 million individuals. While the final number is not yet known, at 11 million it would be the largest healthcare data breach so far in 2023, and among the top five ever reported in history. HCA is one of the largest healthcare providers in the country operating 180 hospitals and 2000 care locations, across 20 states and in the UK.
The hack was first reported by DataBreaches.net on July 5. The report stated “A new user on a hacking forum has listed patient data from HCA Healthcare for sale” and noted the hacker imposed a July 10 deadline for HCA to respond, but the demands were unspecified. DataBreaches.net continues to update the story as more information is revealed. By July 10, HCA had publicly reported the breach.
In its press release HCA explained that the type of information disclosed on an online forum included:
- Patient name, city, state, and zip code;
- Patient email, telephone number, date of birth, gender; and
- Patient service date, location and next appointment date.
HCA also confirmed that the list contains information used for email messages, such as reminders that patients may wish to schedule an appointment and education on healthcare programs and services.
“This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages. There has been no disruption to the care and services HCA Healthcare provides to patients and communities. This incident has not caused any disruption to the day-to-day operations of HCA Healthcare. Based on the information known at this time, the company does not believe the incident will materially impact its business, operations or financial results.”
Medical Identity Theft Harms Individuals
While the press release reassures the public that HCA’s day-to-day operations were unaffected, the reality for the millions of patients whose medical identity was stolen is more troubling. Medical identity theft is highly profitable for criminals and extremely damaging to the patient victims.
Remember, protected health information (PHI) and medical identity do NOT need to contain any diagnosis or “medical” information to be valuable to criminals. Only two things are needed for medical identity theft: the identity of a patient and the identity of a provider, according to the Inspector General of the U.S. Department of Health and Human Services (HHS).
This theft poses safety risks for the individuals whose data was stolen. Unlike financial identity theft (e.g., credit card), medical identity theft can take longer to be detected. The patients whose data was stolen face years of uncertainty over how their PHI might be used. The stolen PHI can be used to commit health insurance fraud and obtain prescription drugs. Safety is also compromised when a thief uses another’s health insurance to get medical care and the thief’s medical information, like a different blood type, becomes part of a patient record.
Lawsuits and Investigations Follow
Private Class Action Lawsuits
Four class action lawsuits have already been filed against HCA in federal district court in Tennessee where HCA is headquartered. The first lawsuit filed alleges a failure to comply with the HIPAA Rules and FTC guidelines, and that HCA was negligent by failing to safeguard the personal and protected health information of patients. The complaint states that HCA “knew or should have known” that the private information collected is “highly sought after by criminal parties.”
According to the lawsuits, due to HCA’s negligence, patient data is now in the hands of cybercriminals, and the plaintiffs are likely to have their medical identity misused and face a lifetime risk of identity theft and fraud. The plaintiffs are seeking monetary damages, legal fees, a jury trial and injunctive relief. They are also demanding that HCA implement additional safeguards to better protect patient data.
The outcome of the lawsuits is not a certainty. The plaintiffs will need to prove concrete actual injury, not speculative future injury in order for the lawsuits to proceed. But the lawsuits are serious and will be expensive for HCA to defend.
State Attorneys General May Investigate
Another risk for businesses experiencing massive breaches that reach across the country is a state investigation.
The HITECH Act gave State attorneys general the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. State attorneys general may pursue damages on behalf of state residents or stop further violations of the HIPAA Privacy and Security Rules. When residents of multiple states are affected, attorneys general can pool their resources and participate in a multi-state action.
OCR HIPAA Investigation is Next
The Office for Civil Rights (OCR) which is responsible for HIPAA enforcement investigates all reported breaches that affect 500 or more individuals.
Prevention with HIPAA Compliance
The best way to protect patients and retain their trust is is to follow the HIPAA Security Rule and its cybersecurity guidelines. Compliance is affordable. Basic cybersecurity awareness training for staff is affordable. Managing risks in advance of a threat is affordable. Waiting until something bad happens can be devastating.