[BreachExchange] Atrium Health says hacking compromised personal data of more than 2 million people

[Destry Winant]

https://www.charlotteobserver.com/news/business/article222248245.html

Personal information for more than 2 million Atrium Health patients
may have been compromised in a data breach of billing information,
including addresses, dates of birth and Social Security numbers, the
Charlotte health care giant said Tuesday.

A hacking affecting Atrium billing vendor AccuDoc may have affected as
many as 2.65 million people, Charlotte-based Atrium said. Of those,
about 700,000 patients may have had Social Security numbers
compromised, according to Atrium.

Atrium Health, formerly Carolinas HealthCare System, operates 44
hospitals across North Carolina, South Carolina and Georgia. Atrium is
the largest health care provider and employer in Charlotte.

Compromised patient information also includes insurance policy
information, medical record numbers, invoice numbers, account balances
and dates of service, according to a joint news release from Atrium
and AccuDoc. Atrium emphasized that the information was accessed but
not downloaded.

Medical records were not accessed, Atrium said, and neither were bank
account or debit and credit card numbers.

AccuDoc, a Raleigh-area company that prepares bills and operates the
website where patients can make payments online, became aware that a
cyber incident took place on Oct. 1, according to the release. An
“unauthorized third party” accessed the patient information between
Sept. 22 and 29, the release said.

AccuDoc general counsel Kenneth Perkins did not rule out that more
patients might be affected than the number disclosed Tuesday but said
it’s highly unlikely the number will grow. That’s because the current
figures are based on entire databases of patients out of an abundance
of caution, he said.

But, “anything is possible,” he said. “We’ve tried to take the high
road and (notified) everybody and be good stewards. ... We take health
care privacy very seriously.”

The only other AccuDoc client affected by the hack was Baylor Medical
Center at Frisco in Texas, he said. Data for about 40,000 people were
impacted at that hospital, which is about an hour north of Fort Worth.

Atrium Health and AccuDoc said they began notifying patients of the
hacking on Tuesday, nearly two months after they became aware of the
incident.

“These are complicated investigations,” Atrium spokesman Chris Berger
said Tuesday. “We’ve been working around the clock with AccuDoc,
outside forensic investigators and the FBI to get to the bottom of
this incident.”

Since the hacking, AccuDoc strengthened its security controls and
Atrium has reviewed its systems, Berger said.

AccuDoc and Atrium hired forensic experts and those “investigations
indicate that the information was not removed from AccuDoc’s systems,”
the joint news release said.

What happened

The incident is the latest example of a hacking involving a
third-party firm and affecting large amounts of U.S. consumer data.
Such firms are widely used by companies in many industries, including
banking and retail.

AccuDoc has worked for Atrium for more than five years, Perkins said.
The company mails bills to Atrium patients and provides web services
for the hospital system, such as patient portals, he said.

The hacking affecting Atrium patient data traced back to another
vendor that AccuDoc used, Perkins said. It was that vendor that was
hacked, and the hacker then obtained the Atrium information, he said.

It’s the first hacking to affect AccuDoc in its roughly 13-year
history, Perkins said.

“It was not a security weakness at AccuDoc,” he said. “It was a
security weakness at a third-party vendor.”

That vendor was immediately fired, he said.

How to get help

Patients whose Social Security numbers were affected can get free
credit monitoring and identity protection, offered through the
companies, the press release said.

Patients who think they may be affected can visit
www.krollfraudsolutions.com/accudocincident/. Individuals who may be
affected can also call 833-228-5726 for more information.

Last year, 1,022 data breaches were reported to the North Carolina
Department of Justice, affecting an estimated 5.3 million N.C.
residents. About half of the breaches were hacking incidents.

A prominent hacking incident occurred in Mecklenburg County when a
hacker gained access to at least one government employee’s computer
network log-in ID and launched a ransomware attack on the county.

In the Atrium incident, locations impacted by the breach, include Blue
Ridge HealthCare System, Columbus Regional Health Network, New Hanover
Regional Medical Center Physician Group, Scotland Physicians Network
and St. Luke’s Physician Network.

The hack is the latest problem confronting Atrium this year.

In April, a group of about 90 doctors announced they wanted to leave
the hospital system, accusing it of monopolistic and anti-competitive
behavior.

Around the same time, Atrium faced a nasty public battle with an
anesthesiology provider it had decided to sever ties with.

And this month, a group of former Atrium employees filed a federal
class action lawsuit against the health care company, alleging that
the hospital chain had cheated thousands of employees over retirement
and health benefits by falsely claiming to be an arm of government.