Nashville-based HCA Healthcare, the largest health system in the U.S. with more than 180 hospitals and 2,300 healthcare sites, is being sued by patients in multiple class action lawsuits for failing to protect personal health information.
The July 5 data breach impacted 11 million patients in nearly two dozen states and is currently the largest healthcare breach of 2023 to date in terms of individuals potentially impacted.
The 182-hospital for profit company reported the breach to the public on Friday, July 10, in a release that warned patients that critical personal information was compromised but added the information didn’t include medical diagnosis, credit card or account numbers, social security information, or passwords.
The personal data hacked in the breach included patient names, city, state, zip code, email, phone number, date of birth, gender, appointment date, and appointment location. HCA has published a full list of the affected facilities which includes hospitals in
One lawsuit states “Defendant knew or should have known the risk of a cyber attack because healthcare entities in possession of private information are particularly suspectable to cyber attacks.”
The plaintiffs of another case, Gary Silvers and Richard Marous, both patients, wrote that they and other impacted patients “now face a lifetime risk of identity theft due to the nature of the information lost, and a diminishment in the value of their private data.”
HCA, they wrote, “knew or should have known” that the private information collected is “highly sought after by criminal parties.” Security measures outlined in HCA’s data security incident report were “wholly inadequate” and allegedly did not comply with data security guidelines shared by the Federal Trade Commission or those outlined in the Health Insurance Portability and Accountability Act, plaintiffs wrote.
The other three complaints filed express similar lines of argument. They also listed other charges of action related to, among others, invasion of privacy, unjust enrichment and breach of fiduciary duty.
HCA said the information was taken from “an external storage location exclusively used to automate the formatting of email messages.”
The HCA hack ranks in the top five health-care hacks reported to the Department of Health and Human Services’ Office for Civil Rights. The worst such hack, a 2015 breach of the medical insurer Anthem, affected 79 million people.
The suspected HCA Healthcare hacker, who first posted a sample of stolen data online on July 5, was attempting to profit from the data by selling it and trying to extort the company, the Associated Press has reported.
The U.S. is No. 1 in terms of number of data breach victims. Enfortra’s new My Privacy 360 removes personal information from the web and actively scans the web for repeatedly exposed data. Securing online privacy is an ongoing battle. Even when individuals delete their information from people search sites, their personal data is typically re-exposed 2-3 times a year.