2.65 Million Atrium Health Patients Affected by Business Associate Data Breach

Dec 1, 2018


AccuDoc Solutions Inc., a supplier of healthcare billing facilities, has suffered a main data breach in which the protected health information of 2,650,000 patients of Atrium Health was disclosed.

Morrisville, NC-based AccuDoc Solutions makes bills for patients and manages the online payment system used by Atrium Health, a network of 44 hospitals all over North Carolina, South Carolina, and Georgia.

On October 1, 2018, AccuDoc Solutions informed Atrium Health that a few of its databases had been undermined. The breach inquiry disclosed hackers had gained access to AccuDoc Solutions databases between September 22 and September 29, 2018.

A wide-ranging forensic inquiry into the attack verified that patient information had been undermined, but the information saved in its databases could only be seen. No PHI was downloaded by the attackers nor distributed through other networks.

AccuDoc Solutions informed that the breach was due to a safety vulnerability at a third-party seller. The business relationship with that seller has now been ended. AccuDoc Systems has locked out the hackers and has increased its safety measures to avoid future attacks.

Atrium Health said the information undermined in the attack was restricted to patients’ names, service dates, account balances, invoice numbers, addresses, and health insurance information. Roughly 700,000 Social Security numbers were also compromised; however, no confidential financial information or medical records were affected.

“We are informing the patients and underwriters who might have been impacted by this occurrence. We take cybersecurity very earnestly, and we’ve worked very hard to decide precisely what occurred, and how to avoid it from occurring once again,” said a spokesperson for Atrium Health. “The fact that even one record was accessed is one too many. Our patients believe us to keep all of their information secret, which is why we took action so swiftly.”

Atrium Health is now informing all affected patients and has offered credit checking and identity theft protection facilities to patients impacted by the breach.

AccuDoc serves roughly 50 other healthcare suppliers; however just one other client was affected by the breach: Baylor Medical Center in Frisco, TX. Roughly 40,000 Baylor Medical Center patients were affected.

Based on the approximated number of people affected, this is the biggest healthcare data breach since the 3,466,120-record breach at Newkirk Products Inc. that was informed to OCR in September 2016. It is the eleventh biggest healthcare data breach informed since OCR began publishing breach summaries in 2009.

Biggest Ever Healthcare Data Breaches

Rank Entity Entity Type Individuals Affected Breach Type Date
1 Anthem Inc. Health Plan 78,800,000 Hacking/IT Incident Feb-15
2 Premera Blue Cross Health Plan 11,000,000 Hacking/IT Incident Mar-15
3 Excellus Health Plan, Inc. Health Plan 10,000,000 Hacking/IT Incident Sep-15
4 Science Applications International Corporation Business Associate 4,900,000 Loss Nov-11
5 University of California, Los Angeles Health Healthcare Provider 4,500,000 Hacking/IT Incident Jul-15
6 Community Health Systems Professional Services Corporation Business Associate 4,500,000 Hacking/IT Incident Aug-14
7 Advocate Health and Hospitals Corporation, dba Advocate Medical Group Healthcare Provider 4,029,530 Theft Aug-13
8 Medical Informatics Engineering Business Associate 3,900,000 Hacking/IT Incident Jul-15
9 Banner Health Healthcare Provider 3,620,000 Hacking/IT Incident Aug-16
10 Newkirk Products, Inc. Business Associate 3,466,120 Hacking/IT Incident Aug-16
11 AccuDoc Solutions Inc. Business Associate 2,650,000 Hacking/IT Incident Nov-18
12 21st Century Oncology Healthcare Provider 2,213,597 Hacking/IT Incident Mar-16