Personal information for more than 2 million Atrium Health patients may have been compromised in a data breach of billing information, including addresses, dates of birth and Social Security numbers, the Charlotte health care giant said Tuesday.
A hacking affecting Atrium billing vendor AccuDoc may have affected as many as 2.65 million people, Charlotte-based Atrium said. Of those, about 700,000 patients may have had Social Security numbers compromised, according to Atrium.
Atrium Health, formerly Carolinas HealthCare System, operates 44 hospitals across North Carolina, South Carolina and Georgia. Atrium is the largest health care provider and employer in Charlotte.
Compromised patient information also includes insurance policy information, medical record numbers, invoice numbers, account balances and dates of service, according to a joint news release from Atrium and AccuDoc. Atrium emphasized that the information was accessed but not downloaded.
Medical records were not accessed, Atrium said, and neither were bank account or debit and credit card numbers.
AccuDoc, a Raleigh-area company that prepares bills and operates the website where patients can make payments online, became aware that a cyber incident took place on Oct. 1, according to the release. An “unauthorized third party” accessed the patient information between Sept. 22 and 29, the release said.
AccuDoc general counsel Kenneth Perkins did not rule out that more patients might be affected than the number disclosed Tuesday but said it’s highly unlikely the number will grow. That’s because the current figures are based on entire databases of patients out of an abundance of caution, he said.
But, “anything is possible,” he said. “We’ve tried to take the high road and (notified) everybody and be good stewards. ... We take health care privacy very seriously.”
The only other AccuDoc client affected by the hack was Baylor Medical Center at Frisco in Texas, he said. Data for about 40,000 people were impacted at that hospital, which is about an hour north of Fort Worth.
Atrium Health and AccuDoc said they began notifying patients of the hacking on Tuesday, nearly two months after they became aware of the incident.
“These are complicated investigations,” Atrium spokesman Chris Berger said Tuesday. “We’ve been working around the clock with AccuDoc, outside forensic investigators and the FBI to get to the bottom of this incident.”
Since the hacking, AccuDoc strengthened its security controls and Atrium has reviewed its systems, Berger said.
AccuDoc and Atrium hired forensic experts and those “investigations indicate that the information was not removed from AccuDoc’s systems,” the joint news release said.
The incident is the latest example of a hacking involving a third-party firm and affecting large amounts of U.S. consumer data. Such firms are widely used by companies in many industries, including banking and retail.
AccuDoc has worked for Atrium for more than five years, Perkins said. The company mails bills to Atrium patients and provides web services for the hospital system, such as patient portals, he said.
The hacking affecting Atrium patient data traced back to another vendor that AccuDoc used, Perkins said. It was that vendor that was hacked, and the hacker then obtained the Atrium information, he said.
It’s the first hacking to affect AccuDoc in its roughly 13-year history, Perkins said.
“It was not a security weakness at AccuDoc,” he said. “It was a security weakness at a third-party vendor.”
That vendor was immediately fired, he said.
How to get help
Patients whose Social Security numbers were affected can get free credit monitoring and identity protection, offered through the companies, the press release said.
Patients who think they may be affected can visit www.krollfraudsolutions.com/accudocincident/. Individuals who may be affected can also call 833-228-5726 for more information.
Last year, 1,022 data breaches were reported to the North Carolina Department of Justice, affecting an estimated 5.3 million N.C. residents. About half of the breaches were hacking incidents.
A prominent hacking incident occurred in Mecklenburg County when a hacker gained access to at least one government employee’s computer network log-in ID and launched a ransomware attack on the county.
In the Atrium incident, locations impacted by the breach, include Blue Ridge HealthCare System, Columbus Regional Health Network, New Hanover Regional Medical Center Physician Group, Scotland Physicians Network and St. Luke’s Physician Network.
The hack is the latest problem confronting Atrium this year.
In April, a group of about 90 doctors announced they wanted to leave the hospital system, accusing it of monopolistic and anti-competitive behavior.
Around the same time, Atrium faced a nasty public battle with an anesthesiology provider it had decided to sever ties with.
And this month, a group of former Atrium employees filed a federal class action lawsuit against the health care company, alleging that the hospital chain had cheated thousands of employees over retirement and health benefits by falsely claiming to be an arm of government.