Cyber attacks on one of the largest hospital operators in the U.S. has divulged the private and sensitive health records belonging to 11 million patients.

Exposing the mass data hold, hackers managed to gain access and make the data publicly available on an online forum. Vulnerabilities in an external storage site where data was migrated went undetected by HCA Healthcare, headquartered in Nashville. IT systems of HCA UK, separate to those of HCA Healthcare, were not affected by this incident.

The affected health facilities are doted across Tennessee including Parkridge Medical Center, Horizon Medical Center, Hendersonville Medical Center and Southern Hills Medical Center, as well as countless more.

With a current focus invested in digital identity across healthcare settings, the breach is disappointing but serves as a reminder of what every sector is working to combat in maintaining vigilance on evolving techniques deployed by fraudsters and cyber criminals. Personal Health Information (PHI) that we all trust with the healthcare profession was stolen and sold in one of the biggest ever data breaches in healthcare.

HCA did not respond to requests for comment.

Hyper-scale breaches have derailed trust values across many industries for example, Optus, Australia’s third largest telecommunications company was subjected to intense reporting after suffering a breech exposing 9.7 million current and former customers’ data.  The most devastating data breaches to rock the healthcare sector include the Tricare Data Breach, which impacted 5 million users, bypassing encryption provisions.

39 million people have been impacted in the first half of 2023 alone by data attacks, which is reported by the HHS Office for Civil Rights (OCR) data breach department. When Managed Care of North America data was accessed illegally in 2023 – LockBit claimed responsibility – they responded to threats of sharing PHI data to the dark web by bolstering its future cybersecurity protections.

The breach, scrapping 27 million rows of patient data, was reported to law enforcement agencies under investigation. The company is offering compensation through identity protection services to those patients let down.

HCA’s statement after notifying patients on July 14, 2023 said: “We encourage patients to remain vigilant in identifying calls, emails or SMS texts which appear to be spam or fraudulent. Additionally, patients should never open links or attachments sent from untrusted sources”.