HCA Healthcare says hackers stole data on 11 million patients

Hospital and clinic operator HCA Healthcare said it has suffered a major hack that risks the data of at least 11 million patients.

Patients in 20 states, including California, Florida, Georgia and Texas, are affected, the Nashville-based chain said on Monday. The data accessed includes potentially sensitive information such as the patients' names, partial addresses, contact information and upcoming appointment date.

The breach, which the company learned about on July 5, is one of the biggest health care breaches in history.

The hackers accessed the following information, according to HCA Healthcare:

"This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages," the company said in its Monday announcement.

"The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations, and will offer credit monitoring and identity protection services, where appropriate," it said.

HCA is asking patients not to pay any invoices or billing requests without first calling the chain at (844) 608-1803 to verify that the message is legitimate.

HCA added that it "reported this event to law enforcement and retained third-party forensic and threat intelligence advisors." It also claimed that the breach, which revealed at least 27 million rows of data on about 11 million patients, didn't include potentially sensitive information, including patients' treatment or diagnosis; payment information, passwords, driver's license numbers or Social Security numbers.

However, this claim appears to be contradicted by DataBreaches.net, which first reported on the hack. DataBreaches posted a sample of code purportedly offered by a hacker containing the sentence, "Following up about your lung cancer assessment." If valid, this code would appear to contain clinical information about a person.

HCA claimed that it "has not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident. The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations, and will offer credit monitoring and identity protection services, where appropriate."

HCA operates more than 180 hospitals and 2,000 care locations, such as walk-in clinics, across 20 states and the U.K., according to the company's website.