- HCA Healthcare is facing a class action lawsuit after the health system reported a data breach that could affect an estimated 11 million patients.
- The suit, filed last week in Tennessee District Court, alleges the Nashville-based health system failed to protect patient data — including names, contact information, addresses and appointment information — putting them at a “lifetime risk” of identity theft.
- The for-profit health system, which is the largest in the country, said last week that data was stolen from an external storage location used to format emails and posted online.
The plaintiffs in the suit allege HCA failed to use “reasonable security procedures and practices,” like encrypting data or deleting it when no longer necessary, and should have been aware of industry security risks as hackers and thieves increasingly target the healthcare sector for its wealth of valuable data.
Although the stolen information did not include clinical data, payment information or sensitive information like passwords or social security numbers, plaintiffs argued that evidence of a patient receiving medical care can be protected health information subject to HIPAA guidelines.
The incident is under investigation, according to a release from HCA posted last week. The stolen list could contain 27 million rows of data, with information from about 11 million patients who received care at HCA hospitals or physicians’ offices in 20 states.
“Our focus now is on our patients and ensuring they have information about the data security incident and the actions already underway to take care of them,” a HCA spokesperson said in a statement. “We will respond to any lawsuits or proceedings, in the appropriate forums and ordinary course.”
The HCA lawsuit comes after another health system, Baltimore-based Johns Hopkins, was recently hit with a class action lawsuit following a ransomware incident. The suit alleged the system failed to implement safeguards to secure the health and identifiable data of those affected by the breach.
Healthcare data breaches exposed 385 million patient records from 2010 through 2022, according to federal reports. Hacking incidents have soared over the past five years while other types of breaches — like theft, data loss or improper disclosure — have fallen slightly.