A database of more than 2.6 million billing records of patients at Atrium Health—formerly Carolinas HealthCare System—is believed to have been compromised by hackers.
The breach hit one of the health system's third-party vendors, AccuDoc Solutions, in September, the company and the health system said in a joint announcement on Tuesday. That database included names, addresses, dates of birth, insurance policy information, medical record numbers, invoice numbers, account balances, dates of service and, in some instances, Social Security numbers.
Specifically, the database accessed involved data in connection with payment for healthcare services at locations managed by Atrium Health, including Blue Ridge HealthCare System, Columbus Regional Health Network, NHRMC (New Hanover Regional Medical Center) Physician Group, Scotland Physicians Network and St. Luke’s Physician Network.
However, the firm emphasized the breach did not hit Atrium Health's core systems, nor did it involve clinical information or financial information such as bank account or credit card numbers. Forensics reports show hackers were not able to actually download or remove the files, they said in a statement.
"But the fact that even one record was accessed is one too many. Our patients expect us to keep all of their information private, which is why we took action so quickly," said Chris Berger, a health system spokesman in an emailed statement. "We take cybersecurity very seriously, and you can be sure we’ve worked very hard to determine exactly what happened, and how to prevent it from happening again."
Atrium said it is monitoring the situation, while AccuDoc enhanced security and closed off the compromised path. The health system also notified patients and guarantors who might have been impacted by the incident. They began notifying patients on Tuesday.
"While we are not aware of any misuse, AccuDoc and Atrium Health are contacting patients and guarantors whose information was in the affected databases out of an abundance of caution. Those with Social Security numbers involved in this incident are being offered free credit monitoring and identity protection services," officials from the health system and the company said in a joint statement.