Atrium Health has revealed a data breach which exposed information belonging to roughly 2.65 million patients.
“One record accessed is one too many,” Atrium Health told ZDNet in relation to the breach, which was caused by the organization’s billing vendor, a third-party known as AccuDoc Solutions.
Between Sept. 22 and Sept. 29, an unauthorized threat actor was able to gain access to databases containing the records, which included names, home addresses, dates of birth, insurance policy information, service dates, medical record numbers, and account balances.
In addition, roughly 700,000 Social Security numbers were exposed.
Financial information such as credit card numbers is not thought to be at risk.
The records were held in relation to payments made at an Atrium Health location, alongside Atrium Health-managed locations including Blue Ridge HealthCare System, Columbus Regional Health Network, NHRMC Physician Group, Scotland Physicians Network, and St. Luke’s Physician Network.
Atrium Health, formerly known as Carolinas HealthCare System, is a not-for-profit healthcare and wellness provider operating in North and South Carolina. The company operates a number of hospitals, emergency departments, and healthcare programs.
The organization is keen to emphasize that while the records were accessed without permission, “our forensics reports indicate the [user] was not able to actually download or remove the files.”
The compromised servers were operated by AccuDoc and separate from Atrium Health’s systems.
AccuDoc informed Atrium Health of the breach on Oct. 1, and immediately after discovery, the billing vendor cut off the unauthorized access point, hired a cyberforensics firm, and begun shoring up database security.
Both Atrium Health and AccuDoc have notified the FBI. The organizations say there is no evidence of data misuse but are still contacting all patients and guarantors involved in the breach out of caution.
In the cases where Social Security numbers were exposed, these individuals will be offered free credit monitoring services.