Hospital operator HCA Healthcare Inc. has experienced a data breach that compromised 11 million patients’ personal information.

The company disclosed the hack on Monday. The disclosure comes a few days after reports emerged that hackers had posted a portion of the stolen data on a known cybercrime forum. According to TechCrunch, the data was put up for sale.

Nashville-based HCA Healthcare operates 180 hospitals and about 2,300 other healthcare locations such as clinics. It has a presence in 20 states as well the U.K. According to the company, its facilities provide healthcare services to about 37 million patients annually.

HCA detailed in its disclosure of the breach that the hackers obtained the affected patients’ names, addresses, dates of birth and contact information. The breach also compromised certain information related to care delivery. That data included patients’ next appointment dates and appointment reminders, as well as “education on healthcare programs and services.”

The company stressed that the hackers didn’t gain access to more sensitive files. Clinical information such as patient diagnosis records wasn’t stolen, according to the company. HCA added that no payment information, passwords, driver’s licenses or Social Security numbers were compromised in the breach.

According to the company, the hackers obtained the data they stole from an “external storage location exclusively used to automate the formatting of email messages.” HCA didn’t share more information about the system in question. However, it did detail that the breach didn’t disrupt its healthcare facilities’ day-to-day operations. “There has been no disruption to the care and services HCA Healthcare provides to patients and communities,” it stated.

As part of its initial response to the breach, the company disabled user access to the compromised system. It also reported the incident to law enforcement and hired cybersecurity advisors. Going forward, HCA plans to notify affected patients about the breach as well as offer credit monitoring and identity protection services where needed.

Since the start of 2023, multiple healthcare organizations have fallen victim to cyberattacks. Clinical services company Independent Living Systems LLC disclosed in March that hackers had made away with 4.2 million patients’ data. More recently, dental plan provider Managed Care of North America Inc. reported a large-scale breach in May.

Several of the healthcare organizations that disclosed data breaches this year were compromised as a result of the high-profile cyberattack against Fortra LLC’s GoAnywhere MFT application. Originally released in 2009, the application is used by companies to exchange files with one another. Hackers stole data from several GoAnywhere MFT deployments that belonged to companies in the healthcare sector. 

Image: HCA Healthcare