How the Atrium Health Data Breach Unfolded

^{More than 2 million Atrium Health patients were affected by the data breach. This image has been altered. Image licensed by maciek905 - stock.adobe.com}

News broke yesterday that more than 2 million Atrium Health patients’ information was compromised in a data breach. But today, Healthcare Analytics News™ learned that the hack did not affect AccuDoc Solutions’ software, but rather its software vendor, which the company has since cut ties with. And Atrium’s patients are only just learning of the data breach — which happened two months ago.

So what exactly happened?

An unauthorized third party gained access to AccuDoc’s database between Sept. 22 and Sept. 29. Atrium Health, a not-for-profit healthcare and wellness provider operating in North and South Carolina was informed of the incident on Oct. 1.

>> READ: What to Do Before and After a Data Breach

Though the exact number of people affected is difficult to pinpoint, Chris Berger, a spokesperson for Atrium Health, said the health system’s investigation suggested that the unauthorized user gained access to databases that had about 2.65 million records.

Certain personal information about patients and guarantors may have been accessed, including first and last name, home address, date of birth, insurance policy information, medical record number, invoice number, account balance, date of service and 700,000 included Social Security numbers.

Personal clinical and medical records and financial account information were not involved in the incident.

Patients whose Social Security numbers were involved are being offered free credit monitoring and identity protection services.

“We take cybersecurity very seriously, and you can be sure we’ve worked very hard to determine exactly what happened and how to prevent it from happening again,” Berger said.

He told Healthcare Analytics News™ that AccuDoc was using a software vendor to perform work for another client when that software vendor got hacked, which led to AccuDoc being hacked. That’s how the trouble hit Atrium Health patients.

AccuDoc general counsel Kenneth Perkins reportedly said that this is the first hacking to affect the company in its roughly 13-year history.

AccuDoc severed ties with the compromised software vendor and terminated that company’s access.

After discovering, AccuDoc and Atrium Health cut off all unauthorized access, secured the affected database and enhanced security controls, according to the companies.

Both AccuDoc and Atrium Health hired outside forensic investigators and have been in contact with the FBI.

Atrium’s forensic investigative firm confirmed that their patients’ information does not appear to have been downloaded or removed from AccuDoc’s system.

The databases accessed by hackers contained information provided with payment for services at an Atrium Health location and some managed by the health system, including Blue Ridge HealthCare System, Columbus Regional Health Network, NHRMC Physician Group, Scotland Physicians Network and St. Luke’s Physician Network.

Due to the complicated nature of the investigation, Berger said, patients and guarantors whose information was affected just began hearing of the incident yesterday

“We are now focused on helping our patients understand the facts and providing services to help them protect themselves,” Berger said.

Get the best insights in healthcare analytics directly to your inbox.

Related

Update: 94K Hit in CMS Data Breach

CMS Discloses Breach Affecting 75K People, Offering Few Details

WannaCry, NotPetya and Cyberwarfare’s Threat to Healthcare