2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach
AccuDoc Solutions Inc., a provider of healthcare billing services, has experienced a major data breach in which the protected health information of 2,650,000 patients of Atrium Health was exposed.
Morrisville, NC-based AccuDoc Solutions prepares bills for patients and operates the online payment system used by Atrium Health, a network of 44 hospitals throughout North Carolina, South Carolina and Georgia.
On October 1, 2018, AccuDoc Solutions notified Atrium Health that some of its databases had been compromised. The breach investigation revealed hackers had gained access to AccuDoc Solutions databases between September 22 and September 29, 2018.
An extensive forensic investigation into the attack confirmed that patient information had been compromised, but the information stored in its databases could only be viewed. No PHI was downloaded by the attackers nor distributed via other channels.
AccuDoc Solutions reports that the breach was due to a security vulnerability at a third-party vendor. The business relationship with that vendor has now been terminated. AccuDoc Systems has locked out the hackers and has enhanced its security measures to prevent future attacks.
Atrium Health said the information compromised in the attack was limited to patients’ names, addresses, invoice numbers, account balances, service dates, and health insurance information. Approximately 700,000 Social Security numbers were also compromised; however, no sensitive financial information or medical records were affected.
“We are notifying the patients and guarantors who may have been impacted by this incident. We take cybersecurity very seriously, and we’ve worked very hard to determine exactly what happened, and how to prevent it from happening again,” said a spokesperson for Atrium Health. “The fact that even one record was accessed is one too many. Our patients expect us to keep all of their information private, which is why we took action so quickly.”
Atrium Health is now notifying all affected patients and has offered credit monitoring and identity theft protection services to patients impacted by the breach.
AccuDoc serves approximately 50 other healthcare providers; however only one other client was affected by the breach: Baylor Medical Center in Frisco, TX. Approximately 40,000 Baylor Medical Center patients were affected.
Based on the estimated number of individuals affected, this is the largest healthcare data breach since the 3,466,120-record breach at Newkirk Products Inc., that was reported to OCR in September 2016. It is the eleventh largest healthcare data breach reported since OCR started publishing breach summaries in 2009.
Largest Ever Healthcare Data Breaches
|Rank||Entity||Entity Type||Individuals Affected||Breach Type||Date|
|1||Anthem Inc.||Health Plan||78,800,000||Hacking/IT Incident||Feb-15|
|2||Premera Blue Cross||Health Plan||11,000,000||Hacking/IT Incident||Mar-15|
|3||Excellus Health Plan, Inc.||Health Plan||10,000,000||Hacking/IT Incident||Sep-15|
|4||Science Applications International Corporation||Business Associate||4,900,000||Loss||Nov-11|
|5||University of California, Los Angeles Health||Healthcare Provider||4,500,000||Hacking/IT Incident||Jul-15|
|6||Community Health Systems Professional Services Corporation||Business Associate||4,500,000||Hacking/IT Incident||Aug-14|
|7||Advocate Health and Hospitals Corporation, dba Advocate Medical Group||Healthcare Provider||4,029,530||Theft||Aug-13|
|8||Medical Informatics Engineering||Business Associate||3,900,000||Hacking/IT Incident||Jul-15|
|9||Banner Health||Healthcare Provider||3,620,000||Hacking/IT Incident||Aug-16|
|10||Newkirk Products, Inc.||Business Associate||3,466,120||Hacking/IT Incident||Aug-16|
|11||AccuDoc Solutions Inc.||Business Associate||2,650,000||Hacking/IT Incident||Nov-18|
|12||21st Century Oncology||Healthcare Provider||2,213,597||Hacking/IT Incident||Mar-16|