Nashville-based HCA Healthcare operates in 21 states, and mass numbers of patients in all but one of them may have had personal information offered for sale as a list on the deep web.

The deep web hosts sites that aren’t findable by standard search engines. The pilfered list—which HCA Healthcare believes may expose information on 11 million of its patients—turned up on a deep web forum soon after the cyber break-in took place.

The good news is that, according to HCA, the stolen info is limited to data commonly contained in emails. That’s because the individual or group behind the attack hit a storage server used only for email formatting.

Scraped info probably includes names, residence and email addresses, phone numbers and birth dates, along with dates and locations of past or upcoming medical appointments, HCA reports in a notice posted July 10.

Meanwhile the watchdog DataBreaches.net is reporting it’s been in touch with the data thief and hawker—and saying the two are one and the same.

“Of note,” the organization states, “the seller informed DataBreaches that they were also the hacker, that this was a hack, not a leak, and that they had contacted HCA Healthcare on July 4 and given them until July 10 to respond to demands.”

As of end-of-day July 10, the site had not updated its coverage.

Steps taken, planned and in the works 

HCA Healthcare is the largest for-profit hospital system in the U.S.

The 180-hospital, 2,300-caresite health system, which also has a presence in the U.K., says its investigation is ongoing and so far has not turned up any evidence of a broader attack.

Safe from the breach are clinical information (diagnoses, therapies); payment information (credit card numbers, account identifiers); and sensitive information like passwords, social security numbers and driver license numbers, HCA says.

The company says it has disabled user access to the email server location and

“plans to contact any impacted patients to provide additional information and support, in accordance with legal and regulatory obligations, and will offer credit monitoring and identity protection services where appropriate.”

Interest in the developing story has been intense, as evidenced by the broad coverage it’s been receiving in consumer and general business news outlets.

The deep web is distinct from the even more nefarious dark web, which is the small segment of the deep web that can’t be accessed without a specialized browser.