The recent HCA Healthcare data breach of 11 million patients’ data is shaping up to be another ugly incident where a company did not promptly communicate with its customers. HCA Healthcare is a large American healthcare services organization that covers 180 hospitals and over two thousand care centers across 20 states. The loss of data is bad, as it includes 27 million rows and contains identity, contact, birthdate, and email data that potentially infer health diagnosis information.
But what is even more concerning is the company chose to not announce the breach and inform victims until after it was made public by security researchers who saw the data for sale on the dark web.
According to reports, the hacker contacted HCA on July 4th to extort money with a deadline of July 10th. The attackers provided a sample as proof of the breach on a hacking forum. On July 5th DataBreaches.net saw the data for sale on a darknet and reached out to HCA Healthcare, asking if they had been breached. HCA Healthcare did not respond.
It was not until July 10th that HCA Healthcare posted a notification that they were breached.
Why wait a week, which coincides with the ransom deadline? The delay was probably due to a lengthy investigation to confirm that sensitive data was exposed. A quick cross-check of the sample provided by the supposed attacker should have been sufficient. However, one could speculate they may have been considering paying the ransom, in hopes to keep the breach quiet — but that would be unethical. I hope that is not the case, but given the delay, it seems the public perception is leaning to be suspicious of HCA Healthcare’s motives, which will further erode customer trust and their brand. It may also lead to additional lawsuits.
The official notification, located on the HCA Healthcare site, provides a comprehensive list of facilities, organized by state, for customers to better understand if they are affected.