Business Associate Data Breach Impacts 2.65 Million Atrium Health Patients

AccuDoc Solutions Inc., a supplier of healthcare billing services, has discovered a major data privacy breach in which the protected health information of 2,650,000 patients of Atrium Health was accessed by hackers.

Morrisville, NC-based AccuDoc Solutions puts together bills for clients and manages the online payment system utilized by Atrium Health, an organization of 44 hospitals based in North Carolina, South Carolina and Georgia.

On October 1, 2018, AccuDoc Solutions contacted Atrium Health that some of its databases had been infiltrated. The breach investigation showed that hackers obtained access to AccuDoc Solutions databases during a time period between September 22 and September 29, 2018.

A thorough forensic investigation into the attack showed that patient information had been impacted, but the information saved in its databases could only be viewed not downloaded. No PHI was taken by the hackers nor transmitted on other channels.

AccuDoc Solutions has revealed that the breach was the result of a security vulnerability at an external vendor. The business relationship with that vendor has now been been discontinued. AccuDoc Systems has locked out the hackers and has strengthened its security processes to stop future attacks.

Atrium Health said the information impacted in the attack was restricted to patients’ names, addresses, invoice details, account balances, service dates and health insurance data. Roughly 700,000 Social Security numbers were also compromised; however, no sensitive financial data or medical histories were impacted.

A spokesperson for Atrium Health said: “We are notifying the patients and guarantors who may have been impacted by this incident. We take cybersecurity very seriously, and we’ve worked very hard to determine exactly what happened, and how to prevent it from happening again. The fact that even one record was accessed is one too many. Our patients expect us to keep all of their information private, which is why we took action so quickly.”

Atrium Health is now making contact with all impacted patients and has offered credit monitoring and identity theft protection services to patients impacted by the breach for free.

AccuDoc serves around 50 other healthcare suppliers; however only a single other client was impacted by the breach: Baylor Medical Center in Frisco, TX. Up to 40,000 Baylor Medical Center patients were impacted.

Taking into account the estimated number of individuals impacted, this is the largest healthcare data breach since the 3,466,120-record breach at Newkirk Products Inc., that was made known to the OCR in September 2016. It is the eleventh biggest healthcare data breach reported since OCR began making breach summaries available to the public in 2009.