Page last updated on September 29, 2025
HCA Healthcare, Inc. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-07-10 09:00:29 EDT.
Incident Details
Material: No
Is Breach: Yes
Records Compromised: Unknown
Data Types Impacted: Other, Medical visit dates, Gender, Date of Birth, Phone Number, Email, Home address, Name
Compromised Date: Unknown
Detected Date: Unknown
Disclosure Date: 2023-07-10
Contained Date: Unknown
Recovered Date: Unknown
Attack Goal: Unknown
Attack Tactics1: TA0010
Attack Techniques1: T1213
Costs: No Costs Tracked (yet)
Filings
8-K filed on 2023-07-10
HCA Healthcare, Inc. filed an 8-K at 2023-07-10 09:00:29 EDT
Accession Number: 0001193125-23-184269
Item 8.01 Other Events.
On July 10, 2023, HCA Healthcare, Inc. issued a press release (the "Press Release") reporting a data security incident. The text of the Press Release is set forth as Exhibit 99.1 and is incorporated herein by reference.
Exhibit No. 99.1
Press Release, dated July 10, 2023.
HCA HEALTHCARE REPORTS DATA SECURITY INCIDENT
NASHVILLE, Tenn., July 10, 2023 - HCA Healthcare, Inc. (NYSE:HCA) recently discovered that a list of certain information with respect to some of its patients was made available by an unknown and unauthorized party on an online forum. The list includes:
- Patient name, city, state, and zip code;
- Patient email, telephone number, date of birth, gender; and
- Patient service date, location and next appointment date.
HCA Healthcare has confirmed that the list contains information used for email messages, such as reminders that patients may wish to schedule an appointment and education on healthcare programs and services.
Importantly, the list does not include:
- Clinical information, such as treatment, diagnosis, or condition;
- Payment information, such as credit card or account numbers;
- Sensitive information, such as passwords, driver's license or social security numbers.
This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages. There has been no disruption to the care and services HCA Healthcare provides to patients and communities. This incident has not caused any disruption to the day-to-day operations of HCA Healthcare. Based on the information known at this time, the company does not believe the incident will materially impact its business, operations or financial results.
HCA Healthcare reported this event to law enforcement and retained third-party forensic and threat intelligence advisors. While our investigation is ongoing, the company has not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident. The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations, and will offer credit monitoring and identity protection services, where appropriate.
HCA Healthcare believes the privacy of its patients is a vital part of its mission and remains committed to maintaining the security of their personal information. HCA Healthcare has created a dedicated webpage at hcahealthcare.com/privacyupdate to keep its patients informed.
Company Information
| Name | HCA Healthcare, Inc. |
| CIK | 0000860730 |
| SIC Description | Services-General Medical & Surgical Hospitals, NEC |
| Ticker | HCA - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |