HCA Healthcare is the largest healthcare provider in the U.S. made up of 182 hospitals and 2,300 health care facilities spread across 20 states. On July 10, 2023, a cyberattack came to light when the personal data of numerous patients appeared online. It is estimated that the breach affected approximately 11 million HCA Healthcare patients, exposing their private information. The compromised data, accessed unlawfully, comprised patients’ names, addresses, contact details, birth dates, service dates, and details pertaining to future appointments. It is believed that the information was exfiltrated from an external storage location that was used to format patient email messages. In response to the attack, internal IT disabled user access to the storage location as an immediate containment measure. HCA Healthcare promptly posted a notice on their website alerting the public of the incident and assured patients that payment and clinical information were not accessed in the attack.
This incident follows closely on the heels of another major breach reported just six weeks prior, where John Hopkins fell prey to a ransomware attack. In that instance, a Russian ransomware collective leveraged a well-documented vulnerability in a file transfer application used by a portion of the employees. Like John Hopkins, a class action suit has been filed against HCA Healthcare.
Basis of the Case
The plaintiffs in the case state that HCA Healthcare has a legal duty of care to keep the private information of patients safe and confidential. They are alleging that HCA Healthcare failed to properly implement basic data security practices and reasonable measures to protect private patient information from unauthorized access. This includes obligations outlined by HIPAA legislation, the FTC Act, and industry standards. They specifically state that the defendant failed to adequately monitor the security of their networks and systems that made an attack possible.
The lawsuit alleges that the plaintiffs and class members are due compensation for both compensatory and consequential damages incurred due to the data breach. These damages include, but are not limited to, the expenses related to the prevention, detection, and resolution of identity theft, tax fraud, and other unauthorized uses of their personal information. Furthermore, the defendant is obligated to enhance its data security mechanisms and supervision procedures, in addition to complying with subsequent audits of these systems and processes. The plaintiffs are also seeking the defendant’s continued commitment to providing satisfactory credit monitoring services for all parties involved in the lawsuit.
Call to Action
Two primary protection methods to secure sensitive data are access control and encryption. Proper access control ensures that only authorized individuals have access to specific data or systems. Access should be configured using the principle of least privilege in which users are given the minimum level of access to perform their job. This requires some method of identifying and authenticating users including user credentials, multifactor authentication (MFA), or biometric authentication. Access can be granted by assigned permissions, access lists, or role-based access control (RBAC) in which access is based on the role assigned to the designated user. Access to privileged areas should be monitored and regularly audited to identify any suspicious activity.
It is essential that organizations use robust encryption methods to protect sensitive data while at rest or in transit. If the data is accessed by an unauthorized party, the data will be unusable without access to the decryption keys which should be thoroughly protected. Encryption can be enforced using management policies using such tools as Group Policy or an MDM provider.