Atrium Health’s Databreach: 2.65 Million Patient Records Publicly Revealed
Atrium Health, formerly Carolinas HealthCare System, which touted itself as ‘one of the nation’s leading and most innovative healthcare organizations’ has publicly disclosed that their system supplied by AccuDoc Solutions had a data breach between September 22 to 29, 2018 which exposed 2.65 million patient records to an unauthorized and unknown third party. The disclosure also revealed that the patient records contain the social security numbers, birthdates, addresses, insurance policy data, invoice numbers, account balances and full names, enough data to pull off an identity theft incident against the patients.
AccuDoc Solutions Inc. provides the billing system for Atrium Health, a known provider in the field of IT systems, as 50 other medical institutions rely on AccuDoc as their hardware/software solution supplier. Atrium has assured their customers that no other financial and medical records were exposed in that one-week long exposure of AccuDocs system.
“AccuDoc continues to monitor its systems for any additional related activity. AccuDoc informed Atrium Health of the incident on October 1, 2018. Atrium Health takes this matter very seriously and engaged its own nationally-recognized forensic investigator to conduct an independent review of the incident. Atrium Health also reviewed its security safeguards and remains vigilant for similar types of incidents. Both AccuDoc and Atrium Health have been in contact with the Federal Bureau of Investigation (FBI),” explained Atrium Health in their official press statement.
FBI entered into the case as early as Oct 1, when initial detection of a breach has been internally reported through forensic examinations. At the time of this writing, there was no network activity indicator that proves that a patient database has been downloaded, but there is strong evidence that they were opened for viewing by an unknown party.
Atrium Health has identified the following medical groups or institutions of having patients data included in the Scotland Physicians Network, Sto., Luke’s Physician Network, New Hanover Regional Medical Center Physician Group, Blue Ridge HealthCare System and Columbus Regional Health Network.
“We’ve tried to take the high road and (notified) everybody and be good stewards. … We take health care privacy very seriously. It was not a security weakness at AccuDoc. It was a security weakness at a third-party vendor. ” said Kenneth Perkins, Atrium Health’s. It took the healthcare institution two months to notify the affected patients. “These are complicated investigations. We’ve been working around the clock with AccuDoc, outside forensic investigators and the FBI to get to the bottom of this incident,” explained Chris Berger, Atrium Health’s spokesperson.
Free credit monitoring services can be availed by the affected patients, with details posted in the website www.krollfraudsolutions.com/accudocincident/. A special hotline is also setup for those who wants to have conversation with Atrium Health regarding the issue 833-228-5726. “This toll-free number is open Monday through Friday, 9:00 AM to 6:00 PM Eastern Time. This substitute notice and toll-free number will remain active for at least 90 days. We deeply regret the incident occurred regarding AccuDoc’s databases, and we apologize for any inconvenience,” concluded Atrium Health.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.