Atrium data breach affects patient records at CMC, some other hospitals

-A A +A
By Mark Manicone

Hackers may have accessed more than 2 million Atrium Health customers’ billing information and Social Security numbers in a breach reported by the company Nov. 27.
Charlotte-based Atrium, formerly Carolinas Healthcare System, operates major medical facilities that serve many Lancaster County residents, including Carolinas Medical Center and regional hospitals in Pineville and Waxhaw.
Certain databases containing Atrium’s information at AccuDoc Solutions, a third-party vendor that provides billing and other services for healthcare providers, were hacked Sept. 22-29, according to an Atrium press release.
 “The exact number is hard to pinpoint, but based on our investigation it looks like the unauthorized user gained access to databases that had about 2.65 million records,” said Atrium Health spokesperson Chris Berger.
“It is very important to understand that the data was accessed but not downloaded in this incident. Our forensics reports indicate (hackers) were not able to actually download or remove the files.
“We are monitoring the situation closely. AccuDoc has enhanced their security measures… and we have notified the patients and guarantors who may have been impacted by this incident,” he said.
Of the possibly 2.65 million people affected, 700,000 may have had their Social Security numbers compromised.
Personal clinical and medical records were not involved, nor were financial account information, such as bank account numbers or credit card or debit card information.
Information that may have been accessed includes certain personal information about patients and guarantors (a person who is responsible for paying a patient’s bill).
This information may have included first and last name, home address, date of birth, insurance policy information, medical record number, invoice number, account balance, dates of service and, in some instances, Social Security numbers.
As soon as the breach was discovered, AccuDoc terminated the unauthorized access, retained a forensic firm and took steps to secure its affected databases and enhance its security controls. The company also reported the breach to Atrium on Oct. 1.
Atrium also looked into its system’s security safeguards and activity, and also hired an independent firm to investigate. Both AccuDoc and Atrium Health have been in contact with the FBI.
Data breaches are not unfamiliar to South Carolinians. Last year, the credit reporting giant Equifax suffered a data breach that affected 2.4 million S.C. residents and 143 million people nationwide.
And in 2012, the S.C. Department of Revenue reported a breach that affected more than 6 million taxpayers. State-supported credit monitoring of those affected in the 2012 breach ended earlier this month, according to The State newspaper.
Getting help
Those with Social Security numbers involved in the Atrium case are being offered free credit monitoring and identity protection services. For questions or additional information, call toll-free (833) 228-5726 from 9 a.m. to 6 p.m. weekdays. Patients can also visit www.krollfraudsolutions.com/accudocincident for a list of frequently asked questions.
For information on various steps individuals can take to protect their identity and information, please visit Tips & Advice for Consumers at the Federal Trade Commission’s website at www.ftc.gov.

Follow reporter Mark Manicone on Twitter @mark_manicone or contact him at (803) 283-1152.