HCA Healthcare Provides Substitute Notice to Certain Patients about a Previously Disclosed Data Security Incident

Rhea-AI Summary

HCA Healthcare (NYSE: HCA) reports data security incident affecting certain patients, notifying them through letters and emails. Incident involved unauthorized access to patient information, but no disruption to care and services. Exposed data includes patient contact details and appointment information, but no clinical or payment information. HCA Healthcare takes immediate containment measures, reports to law enforcement, and provides identity protection services for affected individuals.

Positive

• HCA Healthcare takes immediate action to contain the data security incident and provides identity protection services for affected individuals, demonstrating a commitment to addressing the issue and protecting patient privacy.

Negative

• None.

NASHVILLE, Tenn., Aug. 14, 2023 /PRNewswire/ -- HCA Healthcare (NYSE: HCA), one of the nation's leading healthcare providers which, through its affiliates, operates 182 hospitals and 2,300+ sites across 20 states, announced today that notification letters have been mailed to certain patients affected by a previously reported data security incident. HCA Healthcare issued a press release to report the incident publicly on July 10, 2023 and sent emails to the patients impacted by the incident the following week. HCA Healthcare is now mailing notification letters on a rolling basis, according to states of residence. This press release is intended to provide the same information included in the notification letters to individuals for whom HCA Healthcare has insufficient or out-of-date contact information.

As previously reported, on or around July 5, 2023, HCA Healthcare discovered that a list of certain information with respect to some of its patients was made available on an online platform by an unauthorized party. The information was obtained by the unauthorized party in late June in what appears to be a theft from an external storage location exclusively used to automate the formatting of email messages, such as reminders that patients may wish to schedule an appointment and education on healthcare programs and services. This incident caused no disruption to the care and services HCA Healthcare affiliates provide to patients and communities.

The exposed files contained patient name, city, state, zip code, email, telephone number, date of birth, gender, service date, location and, in some instances, the date of next appointment. The exposed personal information does not include clinical information, such as treatment, diagnosis, or condition; or payment information, such as credit card or account numbers; or other sensitive information, such as passwords, government-issued ID numbers, or social security numbers.

HCA Healthcare disabled user access to the aforementioned storage location as an immediate containment measure. HCA Healthcare also reported this event to law enforcement, retained third-party forensic and threat intelligence advisors to investigate the incident, and secured complimentary credit and identity protection services for affected individuals.

HCA Healthcare cares deeply about the patients it serves and takes this incident very seriously. Patients are encouraged to be vigilant against identity theft and fraud by reviewing account statements, monitoring any available credit reports for unauthorized or suspicious activity, and taking care in response to any email, telephone or other contacts that ask for personal or sensitive information (e.g., phishing). HCA Healthcare will never request sensitive information by phone or email and encourages patients to remain vigilant in identifying calls, emails or SMS texts which appear to be spam or fraudulent. Additionally, HCA Healthcare is providing complimentary credit monitoring and identity protection services to affected individuals for 2 years via IDX. Information regarding these services and enrollment instructions are included in the notification letters which are being mailed to impacted individuals, in addition to this press release.

HCA Healthcare has also established a dedicated toll-free call center to support individuals with questions about the incident. The call center can be reached at 1-888-993-0010, Monday to Friday from 8 am – 8 pm Central Time, excluding major U.S. holidays. Additional information can also be found on a dedicated webpage: https://hcahealthcare.com/about/privacy-update.dot.

All references to "HCA Healthcare" as used throughout this document refer to HCA Healthcare and its affiliates.

View original content:https://www.prnewswire.com/news-releases/hca-healthcare-provides-substitute-notice-to-certain-patients-about-a-previously-disclosed-data-security-incident-301899374.html

SOURCE HCA Healthcare

What is the impact of the data security incident on HCA Healthcare (NYSE: HCA) patients?

The incident involved unauthorized access to patient information, but no disruption to care and services.

What kind of patient information was exposed in the data security incident at HCA Healthcare (NYSE: HCA)?

The exposed files contained patient name, contact details, appointment information, but no clinical or payment information.

What measures did HCA Healthcare (NYSE: HCA) take in response to the data security incident?

HCA Healthcare disabled user access to the storage location, reported the event to law enforcement, and provided identity protection services for affected individuals.