One of the largest healthcare providers in the US, HCA confirmed the breach on Monday 10 July. The data was taken from an external storage location exclusively used to automate the formatting of email messages. Taken from its statement, HCA confirmed that the stolen list contains information used for email messages, such as reminders that patients may wish to schedule an appointment and education on healthcare programs and services.
It also confirmed the information taken did not include clinical information, such as treatment, diagnosis, or condition, payment information, such as credit card or account numbers or sensitive information, such as passwords, driver’s licence or social security numbers.
Discussing the breach, Darren James, Senior Product Manager at Specops Software, said: “Once again, we see that globally healthcare organisations are a high-value target for cyber criminals. HCA claims they offer cyber security awareness education to their employees and vendors, but this once again proves that training needs to be reinforced by policy. All organisations can improve their security posture quickly by improving and enforcing their password policy so that it complies with NIST and HIPAA requirements. Implementing 2FA/MFA reduces the risk even further. Allegedly HCA was contacted by the hacker on the 4th July, and the data, including that of 11 million patients, was offered for sale on a forum on the 5th July. It appears that no ransomware was deployed in this breach, or that it may have been contained, as HCA’s operations do not appear to have been affected so this attack seems to be driven purely for financial gain.”
Looking at how the breach could have happened, Etay Maor, Senior Director of Security Strategy at Cato Networks, commented; “’The breach could have resulted from sophisticated methods like phishing, malware, ransomware, or exploiting vulnerabilities in the healthcare provider’s security. However, without further details, it remains challenging to attribute the breach to a specific source or determine its exact nature,”
Maor went on to discuss how; “Healthcare organisations must take immediate action to strengthen cybersecurity measures in light of this concerning incident involving a major breach of personal data held by HCA. This serves as a stark reminder of the potential consequences of lax data security, including financial losses, legal liabilities, and reputational damage. To regain and maintain the trust of customers and stakeholders, healthcare entities must prioritise data protection by implementing stringent privacy policies, investing in robust cybersecurity infrastructure, and conducting regular audits to identify vulnerabilities. Proactive measures like employee training, encryption technologies, and continuous system monitoring are essential for safeguarding sensitive data. Collaboration and information sharing among organisations are critical in mitigating risks and combating evolving cyber threats. This serves as a wake-up call for healthcare organisations to prioritise data security not just for regulatory compliance, but also to ensure the trust and confidence of customers in an interconnected and data-driven world.”
Javvad Malik, lead security awareness advocate at KnowBe4 agrees with Maor on the possibly way this breach happened, saying; “When we look at healthcare breaches, the three most common ways that data is breached is through social engineering such as phishing emails, or through employees not taking care of their passwords and credentials. Either by reusing passwords, leaving machines unlocked in public areas, or having passwords written down on post-it notes on monitors. The third way is by exploiting unpatched software. What all of this points to is the lack of an overall culture of security, in which cyber security is embedded throughout the organisation and each department and individual playing their part in ensuring the safety of the information.”
HCA’s statement also mentioned that its ongoing investigation has not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident. The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support.