HCA Healthcare has disclosed a data breach affecting approximately 11 million patients who received care at one of its hospitals and clinics after a malicious actor leaked samples of stolen data to a hacking forum.

HCA Healthcare is one of the largest owners and operators of healthcare facilities in the United States, with 182 hospitals and 2,200 care centers in 21 US states and the United Kingdom.

As first reported by DataBreaches.net, on July 5, 2023, a malicious actor began selling data allegedly belonging to HCA Healthcare on a forum used to sell and leak stolen data. This forum post includes samples of the stolen database, which they claim consists of 17 files and 27.7 million database records.

The threat actor claims the stolen data consists of patient records created between 2021 and 2023.

The threat actor initially did not offer the database for sale, but instead used the message to blackmail HCA Healthcare, giving them until July 10 to “” respond to the requests. “It’s probably related to the financial demands, although it wasn’t explicitly mentioned.

However, after not receiving a response from HCA, the hacker began selling the full database as other threat actors expressed interest in purchasing the data.

The organization confirmed yesterday that the data leaked on the hacking forum is genuine, with the stolen database affecting an estimated 11,000,000 people.

“HCA Healthcare estimates that the list contains approximately 27 million rows of data that may include information on approximately 11 million HCA Healthcare patients,” says a Health HCA data breach notification.

HCA claims the data was stolen from an “external storage location” used to format patient email messages.

“There has been no disruption to the care and services that HCA Healthcare provides to patients and communities,” HCA says.

The stolen data includes the following:

• Full names
• City, State and ZIP Code
• E-mail address
• Phone number
• Date of birth
• Gender
• Date and place of service
• Date of the next appointment

The above data is valuable to threat actors conducting phishing attacks and scams, who could use it to launch compelling social engineering attacks against those exposed.

HCA Healthcare does not believe that the stolen data contains detailed clinical information such as conditions, diagnosis and treatment, payment information such as credit card and bank account numbers, or other sensitive information such as passwords, social security numbers and driver’s licenses.

HCA Healthcare has notified law enforcement of the incident and continues to investigate whether its networks and systems are free of malicious activity that may indicate threat actors still have access to them.

Additionally, access to the hacked storage location has been disabled as an urgent containment measure, and the organization is working to implement additional security and data protection measures.

For a full list of affected facilities across the country, see the bottom section of HCA Healthcare Announcement.