The personal health data of more than 2 million Atrium Health patients has been compromised following a hack on the organization’s third-party billing vendor, AccuDoc.
According to a joint news release from Atrium Health, formerly Carolinas HealthCare System headquartered in Charlotte, and the billing vendor AccuDoc, an unauthorized third party gained access to AccuDoc’s databases sometime between September 22 and September 29. Importantly, noted officials, forensic investigations indicated that the information was not removed from AccuDoc’s systems.
According to officials, the databases accessed by the unauthorized third party contained information provided in connection with payment for healthcare services at an Atrium Health location, and at locations managed by Atrium Health, including Blue Ridge HealthCare System, Columbus Regional Health Network, NHRMC (New Hanover Regional Medical Center) Physician Group, Scotland Physicians Network and St. Luke’s Physician Network.
Information that may have been accessed includes certain personal information about patients and guarantors, such as first and last name, home address, date of birth, insurance policy information, medical record number, invoice number, account balance, dates of service and, in some instances, Social Security numbers.
Officials did note that since Atrium Health’s core systems and those of its managed locations are separate from AccuDoc’s systems and were not involved in this incident, personal clinical and medical records were not involved, nor was financial account information, such as bank account numbers or credit card or debit card information.
According to an Atrium Health spokesperson, “The exact number [of affected records] is hard to pinpoint, but based on our investigation it looks like the unauthorized user gained access to databases that had about 2.65 million records. Of the 2.65 million, it appears around 700,000 included Social Security numbers. It is very important to understand that the data was accessed but not downloaded in this incident. Our forensics reports indicate they were not able to actually download or remove the files.”
However, according to a report in the Charlotte Observer, AccuDoc general counsel Kenneth Perkins did not rule out that more patients might be affected than the number disclosed, adding that “it’s highly unlikely the number will grow. That’s because the current figures are based on entire databases of patients out of an abundance of caution,” he said, according to that report. The story also noted that one other AccuDoc client, Baylor Medical Center at Frisco in Texas, was affected by the hack. Data for about 40,000 people were impacted at that hospital.
Atrium Health operates 44 hospitals across North Carolina, South Carolina and Georgia, and is the largest healthcare provider and employer in Charlotte. AccuDoc is a Morrisville, N.C.-based company that provides billing and other services for healthcare providers.
Currently, AccuDoc and Atrium Health are contacting patients and guarantors whose information was in the affected databases “out of an abundance of caution,” officials said.