2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach

AccuDoc Solutions Inc., a provider of healthcare billing services, has experienced a major data breach in which the protected health information of 2,650,000 patients of Atrium Health was exposed.

Morrisville, NC-based AccuDoc Solutions prepares bills for patients and operates the online payment system used by Atrium Health, a network of 44 hospitals throughout North Carolina, South Carolina and Georgia.

On October 1, 2018, AccuDoc Solutions notified Atrium Health that some of its databases had been compromised. The breach investigation revealed hackers had gained access to AccuDoc Solutions databases between September 22 and September 29, 2018.

An extensive forensic investigation into the attack confirmed that patient information had been compromised, but the information stored in its databases could only be viewed. No PHI was downloaded by the attackers nor distributed via other channels.

AccuDoc Solutions reports that the breach was due to a security vulnerability at a third-party vendor. The business relationship with that vendor has now been terminated. AccuDoc Systems has locked out the hackers and has enhanced its security measures to prevent future attacks.

Atrium Health said the information compromised in the attack was limited to patients’ names, addresses, invoice numbers, account balances, service dates, and health insurance information. Approximately 700,000 Social Security numbers were also compromised; however, no sensitive financial information or medical records were affected.

“We are notifying the patients and guarantors who may have been impacted by this incident. We take cybersecurity very seriously, and we’ve worked very hard to determine exactly what happened, and how to prevent it from happening again,” said a spokesperson for Atrium Health. “The fact that even one record was accessed is one too many. Our patients expect us to keep all of their information private, which is why we took action so quickly.”

Atrium Health is now notifying all affected patients and has offered credit monitoring and identity theft protection services to patients impacted by the breach.

AccuDoc serves approximately 50 other healthcare providers; however only one other client was affected by the breach: Baylor Medical Center in Frisco, TX. Approximately 40,000 Baylor Medical Center patients were affected.

Based on the estimated number of individuals affected, this is the largest healthcare data breach since the 3,466,120-record breach at Newkirk Products Inc., that was reported to OCR in September 2016. It is the eleventh largest healthcare data breach reported since OCR started publishing breach summaries in 2009.

Largest Ever Healthcare Data Breaches

Rank Entity Entity Type Individuals Affected Breach Type Date
1 Anthem Inc. Health Plan 78,800,000 Hacking/IT Incident Feb-15
2 Premera Blue Cross Health Plan 11,000,000 Hacking/IT Incident Mar-15
3 Excellus Health Plan, Inc. Health Plan 10,000,000 Hacking/IT Incident Sep-15
4 Science Applications International Corporation Business Associate 4,900,000 Loss Nov-11
5 University of California, Los Angeles Health Healthcare Provider 4,500,000 Hacking/IT Incident Jul-15
6 Community Health Systems Professional Services Corporation Business Associate 4,500,000 Hacking/IT Incident Aug-14
7 Advocate Health and Hospitals Corporation, dba Advocate Medical Group Healthcare Provider 4,029,530 Theft Aug-13
8 Medical Informatics Engineering Business Associate 3,900,000 Hacking/IT Incident Jul-15
9 Banner Health Healthcare Provider 3,620,000 Hacking/IT Incident Aug-16
10 Newkirk Products, Inc. Business Associate 3,466,120 Hacking/IT Incident Aug-16
11 AccuDoc Solutions Inc. Business Associate 2,650,000 Hacking/IT Incident Nov-18
12 21st Century Oncology Healthcare Provider 2,213,597 Hacking/IT Incident Mar-16

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.