Charlotte, N.C.-based Atrium Health is notifying 2.65 million individuals after its third-party billing vendor AccuDoc Solutions was hacked in late September.
Here are six things to know:
1. Atrium's core systems are separate from AccuDoc's system and were not involved in the incident. This means no clinical and medical records or financial account information, such as bank account numbers or credit card information, were accessed.
2. The compromised information stored on the hacked AccuDoc database includes names, addresses, dates of birth, insurance policy information, medical record numbers, invoice numbers, account balances and dates of service. About 700,000 Social Security numbers were also compromised.
3. AccuDoc immediately took action to secure Atrium and its other managed locations' information. It launched a forensic investigation into the incident with help from an independent national firm, which confirmed Atrium's data was not removed from the AccuDoc system, and officials are not aware of any misuse of the data.
4. In an email to Becker's Hospital Review, an Atrium spokesperson emphasized that the data was accessed but not downloaded in this incident. "Our forensics reports indicate they were not able to actually download or remove the files," the spokesperson said. "But the fact that even one record was accessed is one too many. Our patients expect us to keep all of their information private, which is why we took action so quickly."
5. The investigation revealed hackers accessed the database between Sept. 27 and Sept. 29. AccuDoc notified Atrium of the incident Oct. 1.
6. The spokesperson added: "AccuDoc has enhanced their security measures, closed off the comprised [sic] path, and we have notified the patients and guarantors who may have been impacted by this incident. We take cyber security very seriously, and you can be sure we've worked very hard to determine exactly what happened, and how to prevent it from happening again."