HCA Healthcare, a Nashville-based private network of hospitals and healthcare facilities, suffered a **criminal cyberattack in 2023** that resulted in a **severe data breach**. The attackers obtained the personal data of **3.6 million patients**, exposing them to risks of **identity theft and fraud**. The breach led to a **class-action lawsuit**, where plaintiffs argued that HCA Healthcare failed to prevent the attack, leaving patients vulnerable. While HCA denied the allegations, it agreed to an **undisclosed settlement**, offering affected patients **one year of free credit monitoring, insurance services, and cash payments up to $5,000 for documented losses** (e.g., fraudulent charges, credit expenses). The breach was publicly disclosed around **July 10, 2023**, and eligible claimants had until **September 25, 2025**, to file for compensation. The incident underscores the **critical vulnerabilities in healthcare data security** and the **financial and reputational repercussions** of large-scale patient data exposure.
Source: https://www.ecoticias.com/en/eligible-citizens-may-claim-up-to-5000/20786/
TPRM report: https://www.rankiteo.com/company/hca
"id": "hca4334043092525",
"linkid": "hca",
"type": "Cyber Attack",
"date": "7/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '3.6 million patients (U.S. '
'residents with breached data)',
'industry': 'Healthcare',
'location': 'Nashville, Tennessee, U.S.',
'name': 'HCA Healthcare',
'size': '43+ million annual patient encounters',
'type': 'Private Healthcare Network'}],
'customer_advisories': 'Eligible patients notified via settlement website and '
'mail (free credit monitoring, cash payments up to '
'$5,000 for documented losses)',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '3,600,000',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (healthcare/PII)',
'type_of_data_compromised': ['Patient records',
'Personally Identifiable '
'Information (PII)']},
'date_publicly_disclosed': '2023-07-10',
'description': 'HCA Healthcare, a Nashville-based private network of '
'hospitals and healthcare facilities, suffered a severe data '
'breach in 2023 due to a criminal cyberattack. The breach '
'compromised the data of 3.6 million patients, leading to a '
'class action lawsuit alleging negligence in preventing '
'identity theft and fraud risks. HCA Healthcare denied '
'allegations but agreed to an undisclosed settlement, offering '
'affected patients up to $5,000 in compensation and free '
'credit monitoring services.',
'impact': {'brand_reputation_impact': 'Negative (settlement and public '
'disclosure)',
'customer_complaints': 'Class action lawsuit filed',
'data_compromised': '3.6 million patient records',
'identity_theft_risk': 'High (alleged in lawsuit)',
'legal_liabilities': 'Class action lawsuit settled with '
'undisclosed sum'},
'initial_access_broker': {'high_value_targets': ['Patient data', 'PII']},
'investigation_status': 'Settled (final approval hearing scheduled for '
'October 27, 2025)',
'motivation': 'Likely financial (data theft for identity fraud or resale)',
'post_incident_analysis': {'corrective_actions': ['Settlement agreement',
'Credit monitoring services '
'for affected patients']},
'references': [{'source': 'Top Class Actions'},
{'source': 'HCA Healthcare 2024 Annual Impact Report'},
{'source': 'HCA Healthcare Data Breach Settlement Website'}],
'regulatory_compliance': {'legal_actions': 'Class action lawsuit (settled)'},
'response': {'communication_strategy': 'Public disclosure (July 10, 2023), '
'settlement website, class action '
'notifications',
'recovery_measures': 'Settlement agreement (credit monitoring, '
'cash payments)'},
'stakeholder_advisories': 'Settlement benefits for eligible class members '
'(claim deadline: September 25, 2025)',
'title': 'HCA Healthcare Data Breach (2023)',
'type': 'Data Breach'}