Dec 1, 2018
AccuDoc Solutions Inc., a supplier of healthcare billing facilities, has suffered a main data breach in which the protected health information of 2,650,000 patients of Atrium Health was disclosed.
Morrisville, NC-based AccuDoc Solutions makes bills for patients and manages the online payment system used by Atrium Health, a network of 44 hospitals all over North Carolina, South Carolina, and Georgia.
On October 1, 2018, AccuDoc Solutions informed Atrium Health that a few of its databases had been undermined. The breach inquiry disclosed hackers had gained access to AccuDoc Solutions databases between September 22 and September 29, 2018.
A wide-ranging forensic inquiry into the attack verified that patient information had been undermined, but the information saved in its databases could only be seen. No PHI was downloaded by the attackers nor distributed through other networks.
AccuDoc Solutions informed that the breach was due to a safety vulnerability at a third-party seller. The business relationship with that seller has now been ended. AccuDoc Systems has locked out the hackers and has increased its safety measures to avoid future attacks.
Atrium Health said the information undermined in the attack was restricted to patients’ names, service dates, account balances, invoice numbers, addresses, and health insurance information. Roughly 700,000 Social Security numbers were also compromised; however, no confidential financial information or medical records were affected.
“We are informing the patients and underwriters who might have been impacted by this occurrence. We take cybersecurity very earnestly, and we’ve worked very hard to decide precisely what occurred, and how to avoid it from occurring once again,” said a spokesperson for Atrium Health. “The fact that even one record was accessed is one too many. Our patients believe us to keep all of their information secret, which is why we took action so swiftly.”
Atrium Health is now informing all affected patients and has offered credit checking and identity theft protection facilities to patients impacted by the breach.
AccuDoc serves roughly 50 other healthcare suppliers; however just one other client was affected by the breach: Baylor Medical Center in Frisco, TX. Roughly 40,000 Baylor Medical Center patients were affected.
Based on the approximated number of people affected, this is the biggest healthcare data breach since the 3,466,120-record breach at Newkirk Products Inc. that was informed to OCR in September 2016. It is the eleventh biggest healthcare data breach informed since OCR began publishing breach summaries in 2009.
Biggest Ever Healthcare Data Breaches
|Rank||Entity||Entity Type||Individuals Affected||Breach Type||Date|
|1||Anthem Inc.||Health Plan||78,800,000||Hacking/IT Incident||Feb-15|
|2||Premera Blue Cross||Health Plan||11,000,000||Hacking/IT Incident||Mar-15|
|3||Excellus Health Plan, Inc.||Health Plan||10,000,000||Hacking/IT Incident||Sep-15|
|4||Science Applications International Corporation||Business Associate||4,900,000||Loss||Nov-11|
|5||University of California, Los Angeles Health||Healthcare Provider||4,500,000||Hacking/IT Incident||Jul-15|
|6||Community Health Systems Professional Services Corporation||Business Associate||4,500,000||Hacking/IT Incident||Aug-14|
|7||Advocate Health and Hospitals Corporation, dba Advocate Medical Group||Healthcare Provider||4,029,530||Theft||Aug-13|
|8||Medical Informatics Engineering||Business Associate||3,900,000||Hacking/IT Incident||Jul-15|
|9||Banner Health||Healthcare Provider||3,620,000||Hacking/IT Incident||Aug-16|
|10||Newkirk Products, Inc.||Business Associate||3,466,120||Hacking/IT Incident||Aug-16|
|11||AccuDoc Solutions Inc.||Business Associate||2,650,000||Hacking/IT Incident||Nov-18|
|12||21st Century Oncology||Healthcare Provider||2,213,597||Hacking/IT Incident||Mar-16|