Delayed Reporting of HCA Healthcare Data Breach

The recent HCA Healthcare data breach of 11 million patients’ data is shaping up to be another ugly incident where a company did not promptly communicate with its customers. HCA Healthcare is a large American healthcare services organization that covers 180 hospitals and over two thousand care centers across 20 states. The loss of data is bad, as it includes 27 million rows and contains identity, contact, birthdate, and email data that potentially infer health diagnosis information.

But what is even more concerning is the company chose to not announce the breach and inform victims until after it was made public by security researchers who saw the data for sale on the dark web.

According to reports, the hacker contacted HCA on July 4th to extort money with a deadline of July 10th. The attackers provided a sample as proof of the breach on a hacking forum. On July 5th saw the data for sale on a darknet and reached out to HCA Healthcare, asking if they had been breached. HCA Healthcare did not respond.

It was not until July 10th that HCA Healthcare posted a notification that they were breached.


Image Source:

Why wait a week, which coincides with the ransom deadline? The delay was probably due to a lengthy investigation to confirm that sensitive data was exposed. A quick cross-check of the sample provided by the supposed attacker should have been sufficient. However, one could speculate they may have been considering paying the ransom, in hopes to keep the breach quiet — but that would be unethical. I hope that is not the case, but given the delay, it seems the public perception is leaning to be suspicious of HCA Healthcare’s motives, which will further erode customer trust and their brand. It may also lead to additional lawsuits.

The official notification, located on the HCA Healthcare site, provides a comprehensive list of facilities, organized by state, for customers to better understand if they are affected.

E-mail me when people leave their comments –

CISO and Cybersecurity Strategist

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)



CISO Breakfast at BlackHat Las Vegas 2024!

  • Description:

    We are thrilled to invite you to the CISO Breakfast at BlackHat 2024. 

    CISOPlatform is a community partner for the event which is co-hosted by Silicon Valley Bank, Stage One, First Rays Venture Partners, Latham & Watkins.


    Event Details: 

    • Date: Thursday, August 8th,…
  • Created by: pritha
  • Tags: blackhat usa, las vegas, ciso breakfast, usa