Business Associate Data Breach Impacts 2.65 Million Atrium Health Patients

by | Dec 3, 2018

AccuDoc Solutions Inc., a supplier of healthcare billing services, has discovered a major data privacy breach in which the protected health information of 2,650,000 patients of Atrium Health was accessed by hackers.

Morrisville, NC-based AccuDoc Solutions puts together bills for clients and manages the online payment system utilized by Atrium Health, an organization of 44 hospitals based in North Carolina, South Carolina and Georgia.

On October 1, 2018, AccuDoc Solutions contacted Atrium Health that some of its databases had been infiltrated. The breach investigation showed that hackers obtained access to AccuDoc Solutions databases during a time period between September 22 and September 29, 2018.

A thorough forensic investigation into the attack showed that patient information had been impacted, but the information saved in its databases could only be viewed not downloaded. No PHI was taken by the hackers nor transmitted on other channels.

AccuDoc Solutions has revealed that the breach was the result of a security vulnerability at an external vendor. The business relationship with that vendor has now been been discontinued. AccuDoc Systems has locked out the hackers and has strengthened its security processes to stop future attacks.

Atrium Health said the information impacted in the attack was restricted to patients’ names, addresses, invoice details, account balances, service dates and health insurance data. Roughly 700,000 Social Security numbers were also compromised; however, no sensitive financial data or medical histories were impacted.

A spokesperson for Atrium Health said: “We are notifying the patients and guarantors who may have been impacted by this incident. We take cybersecurity very seriously, and we’ve worked very hard to determine exactly what happened, and how to prevent it from happening again. The fact that even one record was accessed is one too many. Our patients expect us to keep all of their information private, which is why we took action so quickly.”

Atrium Health is now making contact with all impacted patients and has offered credit monitoring and identity theft protection services to patients impacted by the breach for free.

AccuDoc serves around 50 other healthcare suppliers; however only a single other client was impacted by the breach: Baylor Medical Center in Frisco, TX. Up to 40,000 Baylor Medical Center patients were impacted.

Taking into account the estimated number of individuals impacted, this is the largest healthcare data breach since the 3,466,120-record breach at Newkirk Products Inc., that was made known to the OCR in September 2016. It is the eleventh biggest healthcare data breach reported since OCR began making breach summaries available to the public in 2009.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy