CHARLOTTE, N.C. — Atrium Health says the personal information of more than two million patients may have been compromised in a data breach.
The information included social security numbers, addresses and dates of birth, according to an official with the company.
The hack happened within AccuDoc which is a billing vendor used by Atrium. A total of 2.65 million people were reportedly affected by the breach.
Atrium says no medical records or debit/credit card numbers were accessed during the breach. AccuDoc says an unauthorized third party gained access to the patient information between September 22nd and September 29th.
Patients who were impacted by the breach will be notified beginning on Tuesday, November 27th.
AccuDoc says they have now strengthened their security controls and hired forensic experts to make sure no information was downloaded during the breach.
Patients who were impacted by the breach will receive free credit monitoring and identity protection, according to a news release. Click HERE if you have been affected.
More information:
How many people may have been exposed in this hack?
The exact number is hard to pinpoint, but based on our investigation it looks like the unauthorized user gained access to databases that had about 2.65 million records. Of the 2.65 million, it appears around 700,000 included Social Security numbers. It is very important to understand that the data was accessed but not downloaded in this incident. Our forensics reports indicate they were not able to actually download or remove the files.
But the fact that even one record was accessed is one too many. Our patients expect us to keep all of their information private, which is why we took action so quickly.
We are monitoring the situation closely. AccuDoc has enhanced their security measures, closed off the comprised path, and we have notified the patients and guarantors who may have been impacted by this incident. We take cyber security very seriously, and we’ve worked very hard to determine exactly what happened, and how to prevent it from happening again.
What type of personal patient information may have been exposed?
First, it is important to understand that our systems are separate from AccuDoc’s, so Atrium Health’s systems and those of our managed locations are not impacted by this incident. It also is important to understand that the data was accessed but not downloaded in this incident.
It appears that the attack at AccuDoc involved some personal information such as name, address, date of birth, insurance policy information, medical record number, invoice numbers, account balance, dates of service, and in some cases, Social Security numbers. But personal medical information, bank accounts and credit card numbers were not accessed, per our investigation.
This is important information to share with our patients, which is why we have notified them in writing and encouraged them to keep a close eye on their accounts just to be safe. We also set up a toll-free number to answer questions and help the patients impacted, and we have offered free credit monitoring to those whose Social Security numbers may have been affected.
Atrium was made aware of the hack on October 1st. Why weren’t patients notified sooner?
Atrium Health was informed by AccuDoc about the cyber incident on October 1 that an unauthorized third party gained access to AccuDoc’s databases between September 22 and September 29, 2018.
These are complicated investigations. We’ve been working around the clock with AccuDoc, outside forensic investigators and the FBI to get to the bottom of this incident. We are now at the point where we understand what happened, who was impacted, and what information was accessed. It is important to understand that data was accessed but not downloaded in this incident.
In additional to launching multiple forensic investigations, AccuDoc has strengthened their security controls and we have reviewed our systems, as we routinely do, to make sure we are not vulnerable to a similar threat.
We are now focused on helping our patients understand the facts and providing services to help them protect themselves. We are notifying those who may have been impacted, set up a toll-free number to answer questions, and provided free credit monitoring to those whose Social Security numbers may have been affected.
What steps did Atrium/AccuDoc take following the discovery of the hack?
We’ve been working around the clock with AccuDoc to get to the bottom of this incident. AccuDoc immediately terminated the unauthorized access; they rebuilt the affected databases; both AccuDoc and Atrium Health each hired outside forensic investigators; and we have both consulted with the FBI.
Again, this incident did not involve Atrium Health’s systems. However, in today’s environment we are constantly evaluating and evolving our systems to protect patient information. To that end, we have also reviewed our systems to ensure we’re armed against similar attempts
Is Atrium still contracted with AccuDoc?
Our focus right now is on this cyber incident. AccuDoc and Atrium Health have worked around the clock to understand what happened, who was impacted, and what information was accessed. It is premature to make any decisions about current or future business relationships.
How will atrium assure patients that their information will be safe moving forward?
Again, this incident did not involve Atrium Health’s systems. However, in today’s environment we are constantly evaluating and evolving our systems to protect patient information. To that end, we have also reviewed our systems to ensure we’re armed against similar attempts. We take cyber security very seriously, and we’ve worked very hard to determine exactly what happened, and how to prevent it from happening again.
