HCA Healthcare hacked

A national breach with Houston connections.

HCA Healthcare, which operates more than a dozen hospitals in the Houston area, announced that personal information from as many as 11 million patients nationwide has been stolen in a data breach and could be sold online.

The company did not say how many patients in the Houston area could be affected by the theft, but the list of affected hospitals includes 11 HCA Houston Healthcare locations, Woman’s Hospital of Texas and Texas Orthopedic Hospital.

The list of stolen personal information was posted in an online forum on July 5. It includes patients’ names, addresses, email addresses, phone numbers, birth dates and information about their appointments, the company said in an online statement about the data breach.

The theft does not appear to involve any credit card or bank account numbers, any clinical information such as medical records or any sensitive information such as passwords, Social Security numbers or driver’s license numbers, the company said.

HCA Healthcare said it is working to identify exactly which patients are affected. The company said it will notify those patients by mail in the coming weeks and will offer them complementary credit monitoring and identity protection services.

The theft appears to be from an external storage location that HCA Healthcare uses to automate the formatting of emails. The company said it has not detected any malicious activity on its own networks.


Based in Nashville, Tennessee, HCA Healthcare operates 180 hospitals across the United States, including 48 in Texas. It also operates approximately 2,300 medical clinics, emergency rooms, surgery centers and urgent care clinics nationwide.

Its HCA Houston Healthcare network includes the Clear Lake, Conroe, Kingwood, Mainland, Medical Center, North Cypress, Northwest, Pearland, Southeast, Tomball and West hospitals, as well as the Woman’s Hospital of Texas and the Texas Orthopedic Center.

It didn’t interrupt daily operations, so probably not some kind of malware/ransomware, and it appears that the data in question is not the most sensitive or personal data, which is good. My best guess would be some kind of cracked password or credential stuffing situation, or possibly a vulnerable or misconfigured system that allowed the attacker to gain entry. Whatever the case, it seems like the attackers perhaps weren’t interested in anything beyond the data they grabbed. Could have been worse, I guess, but there’s clearly room for improvement here. As the story notes, hospital systems have been a frequent target of attackers lately, and you can see from this story how extensive the reach can be.

I’ve been following these stories in large part because I worry about an attack on the city of Houston or Harris County or HISD. As such, I noted this with a great deal of interest.

Houston City Hall is weighing measures to bolster security at the facility after an audit identified lapses in procedures and an elected official said a belligerent man with a criminal past berated city workers last week.

Controller Chris Brown’s office released a June 27 audit that recommended the city improve its processes to remove badge access from ex-city workers, monitor training for its third-party security vendor and complete daily logs. Those fixes would be relatively inexpensive, Brown said.

As council discussed the audit Wednesday, Mayor Pro Tem Dave Martin said an angry man berated staff on two different floors last week.


In the controller’s audit, investigators said one lapse they found was that 1,507 former city workers were still on the city’s “active” badging list, more than half of whom had left the city more than six months earlier. The General Services Department now has implemented a process to allow monthly reviews of separated employees, the audit said.

Auditors with the controller’s office also found a door where the magnet was not working properly and had been left unsecured. The city said it replaced the door.

“In my mind, you put those two together — you have a disgruntled former employee, and you have very easy access with no gate, it gives the opportunity,” Brown said.

At-Large Councilmember Sallie Alcorn said she thinks the city should act now to correct the lapses, instead of waiting to do so after something worse.

I skipped the details of the angry dude – I feel confident that Council will take action on that since it affected them directly – but the audit has my interest. Badge access shouldn’t have much effect on cyber security, unless those badges are also smartcards that are used as a second factor for network access. Regardless, my concern is that if account management is this lax for badge access, what is it like for network logons? Having a bunch of idle accounts is a risk. I’m totally speculating here, these two functions may be separate, or maybe network logons are maintained better, but I wanted to bring it up. I hope all of the Mayoral candidates have cybersecurity for the city high on their priority list. It’s strictly a defensive posture, but we’ve had plenty of examples of what the downside risk is.

Related Posts:

This entry was posted in Elsewhere in Houston, Technology, science, and math and tagged , , , , , , , , , , . Bookmark the permalink.