What’s happening?
Names, ZIP codes, phone numbers, email addresses and appointment dates were among the information stolen.
The patient information seems to have been taken from an external storage location used for formatting email messages and appointment reminders, according to the announcement.
An “unknown and unauthorized party” then published a list of 27 million rows of information to an online forum. As its original purpose was for emails, the list did not include any clinical information, such as treatments, diagnoses, credit card numbers or other sensitive information, according to the announcement.
Instead, the list published only included the following information:
- Patient name, city, state and ZIP code
- Patient email, telephone number, date of birth and gender
- Patient service date, location and next appointment date
HCA Healthcare is the parent company for hundreds of hospitals and physician clinics across the U.S. and U.K., including all Medical City Healthcare locations, of which there are 16 across the Dallas-Fort Worth area. It has locations in Dallas, Collin, Denton and Tarrant counties.
HCA Healthcare is also the parent organization for Carenow, which also has multiple clinics in the DFW area.
HCA Healthcare has disabled user access to the storage location used in the data theft, according to the announcement. An investigation is underway, and no other “malicious activity” to HCA Healthcare networks and systems has been found, according to the announcement.
Patients concerned if their information was part of the leak can find updated information and answers to some frequently asked questions at HCA Healthcare’s privacy update website.
The update site also has a complete list of all health care facilities affected by the theft.
