SecOpsNews / news

RSS items as GitHub Issues for the discerning engineering leader or security professional
MIT License
44 stars 0 forks source link

[DataBreaches] HCA Healthcare releases statement while hacker puts data up for sale on deep web #16276

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

On July 5, while some folks were cleaning up from fireworks and barbecues, DataBreaches broke the news that HCA Healthcare data was up for sale on a deep web forum if the company didn’t meet some unspecified demands. Since that time, DataBreaches has remained in some contact with the seller, who has occasionally provided additional details (although not as many as this site would have liked). Of note, the seller informed DataBreaches that they were also the hacker, that this was a hack, not a leak, and that they had contacted HCA Healthcare on July 4 and given them until July 10 to respond to demands. HCA Healthcare did not reply to DataBreaches’ inquiries at the time, later telling a third party that the emails had been caught up in some DMARC-related filter. Today, HCA Healthcare issued a press release that says, in relevant part, that they recently discovered that a list of certain information with respect to some of its patients was made available by an unknown and unauthorized party on an online forum. The list includes: Patient name, city, state, and zip code; Patient email, telephone number, date of birth, gender; and Patient service date, location and next appointment date. HCA Healthcare has confirmed that the list contains information used for email messages, such as reminders that patients may wish to schedule an appointment and education on healthcare programs and services. Importantly, the list does not include: Clinical information, such as treatment, diagnosis, or condition; Payment information, such as credit card or account numbers; Sensitive information, such as passwords, driver’s license or social security numbers. They also report that the incident appears to be a theft from an external storage location “exclusively used to automate the formatting of email messages.” A website privacy update includes an FAQ that says, in part: 2. What data was accessed? We do NOT believe that clinical information (such as treatment, diagnosis, or condition), payment information (such as credit card or account numbers), or other sensitive information (such as passwords, driver’s license or social security number) is involved. They may not believe it, but even without that type of info, this is still protected health information and a reportable breach under HIPAA. But is their belief even justified? The hacker tells DataBreaches, “I have emails with health diagnosis that correspond to a clientID.  DataBreaches asked to see proof of that, but the hacker did not provide compelling proof, although they had already provided DataBreaches with a sample of code: [code]10963605,42841158,Dynamic From Name, marketing@m arketing.hcahealthcare.com,6/20/2023 12:38:00 PM,6/23/2023 2:37:43 PM, Following up about your lung cancer  assessment, DIV_CAP_Lung_Cancer_Low_Risk,318899,, Active,http://members. exacttarget. com/integration/EmailPreview. aspx?mid=fe6115707c62077b7511&jid=fe5e10727d60057c701c&sendtype=ffc71c&eid=fe5a16777260017d7211,True,[/code]   Did this link a patient name or ID to information about their lung cancer assessment? If so, isn’t that clinical information? The FAQ also addresses the number potentially affected: 7. How many patients are affected by this? The investigation is ongoing and we cannot confirm the number of individuals whose information was impacted. HCA Healthcare believes that the list contains approximately 27 million rows of data that may include information for approximately 11 million HCA Healthcare patients. Notice they don’t claim that that’s the only data acquired. They only say that 27 million rows would be about 11 million patients. It’s understandable that some media outlets would start headlining that 11 million patients were affected although the actual number could be significantly higher. The hacker commented to DataBreaches, “They claim ’11 Million’ not like they would know, they lost all their data.” And while the hacker didn’t offer proof of the total number of patients whose data was acquired, the seller uploaded a second sample of data yesterday — 1 million records seemingly from the San Antonio Division, where each record was one patient. HCA describes itself as one of the nation’s leading providers of healthcare services comprising 180 hospitals and approximately 2,300 ambulatory sites of care, including surgery centers, freestanding ERs, urgent care centers, and physician clinics, in 20 states and the United Kingdom. If there are 1 million patients’ records for just one division, and HCA Healthcare has locations in 20 states and the U.K., is it possible that the hacker really did acquire more than 11 million patients’ information — especially when the original listing indicated that more data would be included in the sale than the 27+ million rows? It’s unfortunate that the hacker has refused to provide more proof of some claims so that patients, regulators, and lawyers could begin to understand more about the possible scope of this breach. The data are now up for sale.

https://www.databreaches.net/hca-healthcare-releases-statement-while-hacker-puts-data-up-for-sale-on-deep-web/

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 1 day with no activity. Remove stale label or comment or this will be closed in 1 day.

github-actions[bot] commented 1 year ago

This issue was closed because it has been stale with no activity.