Billing information of some 2.65 million people – including Social Security numbers, birth dates and addresses – may have been compromised at Atrium Health in a "cyber incident" involving the databases of one of its vendors.

WHAT HAPPENED
Charlotte, North Carolina-based Atrium – formerly known as Carolinas HealthCare System – was contacted by its billing company, AccuDoc Solutions, on Oct. 1, and told that an unauthorized third-party had gained access to AccuDoc's databases between Sept. 22 and Sept. 29.

In addition to Atrium itself, other locations managed by it may have been affected, officials said, including Blue Ridge HealthCare System, Columbus Regional Health Network, New Hanover Regional Medical Center Physician Group, Scotland Physicians Network and St. Luke’s Physician Network.

Atrium then launche a forensic review that found that an unauthorized third party had compromised AccuDoc's systems during that time, and may have accessed – but not downloaded – information from patients and/or those responsible for their bills.

"We’ve been working around the clock with AccuDoc, outside forensic investigators and the FBI to get to the bottom of this incident," Atrium spokesman Chris Berger told the Charlotte Observer.

THE LARGER TREND
The number of patients potentially impacted by this incident would make it one of the larger healthcare breaches in recent memory. As of the middle of this year, there had been 142 separate breaches across healthcare in 2018, totalling more than 3 million people.

As one expert told Healthcare IT News earlier this month, 2018 was already shaping up to be a banner year, in all the wrong ways, when it came data breaches. There had been a slight dip in number of incidents and volume of records exposed since 2017, she said, but "2018 is on track to have the second most reported breaches and the third most records exposed since 2005."

ON THE RECORD
"Based on the review, the information that may have been accessed included certain personal information about patients and guarantors (a person who is responsible for paying a patient’s bill), including first and last name, home address, date of birth, insurance policy information, medical record number, invoice number, account balance, and dates of service," said Atrium officials in a statement. "For some individuals, the personal information may also have included Social Security numbers."

The health system added that "it does not appear that any personal information was taken from AccuDoc's systems and, to date, we are not aware of any misuse. In addition, no financial account numbers or credit or debit card numbers were involved in the incident, nor were clinical information or medical records."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a publication of HIMSS Media.