Atrium Health has revealed a data breach which exposed information belonging to roughly 2.65 million patients.
"One record accessed is one too many," Atrium Health told us in relation to the breach, which was caused by the organization's billing vendor, a third-party known as AccuDoc Solutions.
Between September 22 and September 29, an unauthorized threat actor was able to gain access to databases containing the records, which included names, home addresses, dates of birth, insurance policy information, service dates, medical record numbers, and account balances.
In addition, roughly 700,000 Social Security numbers were exposed.
Financial information such as credit card numbers is not thought to be at risk.
The records were held in relation to payments made at an Atrium Health location, alongside Atrium Health-managed locations including Blue Ridge HealthCare System, Columbus Regional Health Network, NHRMC Physician Group, Scotland Physicians Network, and St. Luke's Physician Network.
Atrium Health, formerly known as Carolinas HealthCare System, is a not-for-profit healthcare and wellness provider operating in North and South Carolina. The company operates a number of hospitals, emergency departments, and healthcare programs.
The organization is keen to emphasize that while the records were accessed without permission, "our forensics reports indicate the [user] was not able to actually download or remove the files."
The compromised servers were operated by AccuDoc and separate from Atrium Health's systems.
AccuDoc informed Atrium Health of the breach on October 1, and immediately after discovery, the billing vendor cut off the unauthorized access point, hired a cyberforensics firm, and begun shoring up database security.
"AccuDoc continues to monitor its systems for any additionally related activity," the companies said. "Atrium Health also reviewed its security safeguards and system activity, as well as engaged its own nationally recognized forensic investigative firm to conduct a thorough independent review of the incident."
Both Atrium Health and AccuDoc have notified the FBI. The organizations say there is no evidence of data misuse, but are still contacting all patients and guarantors involved in the breach out of caution.
In the cases where Social Security numbers were exposed, these individuals will be offered free credit monitoring services.