DENVER — Some Coloradans are starting to get emails from HCA Healthcare this week, warning them that some of their personal information was stolen during a data breach earlier this month.
A spokeswoman for HCA Healthcare, which operates Rose Medical Center, Swedish Medical Center and Sky Ridge Medical Center, along with a number of other hospitals and clinics in Colorado, said the company is still working to determine how many patients in Colorado had their data compromised.
According to a release on the HCA website, someone stole the data from an external data processing center used to generate automated emails to patients. The data stolen includes full names, phone numbers, addresses, email addresses and appointment information for 11 million patients throughout the healthcare company’s system. It was posted in a forum on the dark web.
The company said the data stolen did not include sensitive personal information like social security numbers, payment information like credit card numbers or personal medical information.
Stolen data not necessarily sensitive, but still potentially dangerous
Cybersecurity experts warned even though the data stolen appears to be minimally invasive, people should still be on alert.
“There’s no health medical records that have been exposed,” MSU Denver computer science professor Steve Beaty said. “There are first name, last name, phone, address, and where I think it becomes more interesting from a criminal point of view is it has the date of your next appointment and it has some details about where you might be going for your next appointment."
“If I was a bad person and I wanted to go out and exploit that, what I would do is send emails," he said.
Beaty said anyone with data stolen should not click on any links in emails, especially if the emails seem suspicious. He said criminals could try to skim more information from people by sending them a fake appointment link with a pre-registration form.
“My general recommendation is just never click an email. The links that you see in email, there may be a link behind it," he said.
Michael Bruemmer, head of data breach response for the credit rating agency Experian, said healthcare hacks like this account for about a third of all data breaches his company responds to each year.
He warns this limited data could be used to pull off something he calls synthetic identity theft.
“It might be my social security number, it might be your name and address, which are both valid, but it does not represent a real human being,” Bruemmer said. “And if the fraud protection services for the company that's accepting that information aren't up to snuff, you can actually have someone steal part of your identity, using it with someone else's valid social and get the provision of services. That's why it's so dangerous.”
What to do if you’ve been compromised
Sign up for free credit monitoring offered by HCA
All patients impacted by the data breach should receive a letter from the company, according to a Q&A webpage the company created in response to this breach. That letter will include details on free credit monitoring offered in response to this breach.
Freeze your credit report
Bruemmer suggested anyone who had any information stolen should contact the credit bureaus, like Experian and TransUnion, and freeze credit reports. He said you could also place a special fraud alert on your account.
Don’t click on email links or answer suspicious phone calls
“Don't accept any phone calls from any numbers that you don't recognize, or even someone in your contact list that you haven't spoken to,” Bruemmer said. “If they need to get a hold of you, they will, they will reach out.”
Change any passwords associated with your healthcare account
Beaty said even if hackers didn’t steal password information, they could try to use information stolen to figure out passwords.
“Nobody likes this answer: never reuse passwords,” Beaty said. “Have a unique password for each site you go to.”
“I know passwords weren’t stolen this time around," he said. "However, many of our usernames are based on our names one way or another, and our names were taken. Then I go to Facebook and find your pet's name and the birthdates of your children, then I have your password.”
Check to see if your email has ever been in a data breach before
It may sound strange, but Beaty suggests you visit a website called “Have I Been Pwned?” to determine if your email address has ever been leaked in a data breach. Pwned is slang for "owned," according to Beaty.
Beaty said the website aggregates data from known security breaches to see if your information has been compromised.
Hospitals
- Medical Center Of Aurora
- North Suburban Medical Center
- P-Sl Medical Center
- Rose Medical Center
- Sky Ridge Medical Center
- Swedish Medical Center
Physician Clinics
- Advanced Internal Medicine - Denver
- Advanced Laparoscopic And General Surg
- Aspen Family Med. @ Green Valley Ranch
- Aspen Medical Group
- Aurora Denver Cardiology Associates
- Barolat Neurosciences
- Burn and Reconstructive Center at Swedish Medical Center
- CareNow Urgent Care
- Centennial Primary Care-Denver
- Colorado Breast Care Specialists
- Colorado Complete Health For Women
- Colorado Gynecologic Oncology Specialists
- Colorado Limb Consultants
- Colorado Orthopedic Specialists
- Colorado Spine Specialists
- Consultants In Obstetrics And Gynecology
- Denver Center for Bariatric Surgery
- Denver Endocrinology
- Denver Heart - Englewood
- Denver Heart - Rose Medical Center
- Denver Internal Medicine
- Denver International Spine Center (DISC)
- Denver International Spine Center
- Englewood Primary Care
- Espirt Ob/Gyn Center
- Falci Institute For Spinal Cord Injuries
- Healthone Cardiothoracic Surgery Assoc.
- Healthone Neurology Specialists
- Metropolitan OB/GYN
- Midtown OB/GYNn
- Mile High OBGYN And Midwifery
- Mtn Orthopedic Trauma Surgeons @ Swedish
- North Denver Surgical Associates
- OrthoOne At Sky Ridge
- OrthoONE
- Orthopaedic Physicians Of Colorado
- Potomac Primary Care
- Precision Spine Specialists
- Premier Integrated OBGYN
- Rocky Mountain Ent Associates
- Rocky Mountain Gynecologic Oncology
- Rocky Mountain Pediatric Heart Surgery
- Rocky Mountain Pediatric Kidney Center
- Rocky Mountain Pediatric Orthopedics
- Rocky Mountain Pediatric Surgery
- Rocky Mountain Spine Clinic
- Rocky Mountain Surgical Associates
- Rocky Mt. Ped. Hemotology Oncology
- Rocky Mtn Ped Infectious Disease Consult
- Sky Ridge Primary Care at Castle Rock
- Sky Ridge Primary Care
- Skyline Primary Care - Denver
- South Park Health Care
- Swedish Family Medicine
- The Women's Health Group
- Women's Care Of Colorado
Have a tip about this or any story? E-mail 9NEWS reporter Steve Staeger at steve@9news.com.
SUGGESTED VIDEOS: Latest from 9NEWS