- The data of more than 2.65 million Atrium Health patients was breached for a week-long period, due to a cyberattack on the health system’s billing vendor AccuDoc Solutions in September.
The North Carolina billing vendor prepares patient bills and operates the online billing system for Atrium Health, which consists of 44 hospitals throughout North Carolina, South Carolina and Georgia. The records were retained by AccuDoc from payments made at several Atrium Health locations.
According to the notification, AccuDoc told Atrium Health on October 1 that some of its databases were compromised in a cyberattack. Upon discovery, access was terminated and officials launched an investigation. AccuDoc also took steps to secure the impacted database and systems.
The investigation determined a hacker breached AccuDoc databases from September 22 through 29. Officials said patient data was compromised, but the data could only be viewed by the hacker, not extracted.
The compromised database included data of the guarantors and patients, including full names, addresses, dates of birth, insurance policy details, medical record numbers, account balances and dates of service. The Social Security numbers of about 700,000 patients were also breached.
Financial data like credit card numbers were not included in the stolen data.
Those patients whose Social Security numbers were breached are being offered one year of free credit monitoring.
“Importantly, Atrium Health’s own systems and those of its Managed Locations were not affected by this cyber incident,” officials said in a statement.
Despite the breach being contained to AccuDoc, Atrium hired a forensic team to investigate the incident and has since reviewed its security safeguards. AccuDoc and Atrium Health are also working with the FBI.
“Individuals should monitor their account statements, bills, notices, and insurance transactions for incidents of unauthorized activity, and contact Atrium Health with any questions or concerns,” officials said. “We deeply regret the incident occurred regarding AccuDoc’s databases, and we apologize for any inconvenience.”
AccuDoc serves about 50 clients, but only one other healthcare provider breached: about 40,000 Baylor Medical Center patients were impacted.
The breach is the largest seen by a healthcare organization in 2018 and is 11 of overall breaches on the sector.
UnityPoint Health notified 1.4 million patients in July that their data may have been exposed after a phishing attack – their second breach of 2018. About 1.5 million Singapore patient records were breached in July, as hackers attempted to gain access to the medical records of Prime Minister Lee Hsien.