Data Breach at Atrium Health’s Business Associate Impacts 2.65 Million Patients


Healthcare billing services provider, AccuDoc Solutions Inc, reported a data breach that caused the compromise of the protected health information (PHI) of 2,650,000 Atrium Health patients.

AccuDoc Solutions in Morrisville, NC prepares the bills for Atrium Health’s patients. At the same, AccuDoc Solutions operates the online payment system utilized by Atrium Health and its network of 44 hospitals all over Georgia, North Carolina and South Carolina.

On October 1, 2018, Atrium Health received a notification from AccuDoc Solutions about the compromise of some of its databases. The investigators of the breach found out that hackers were able to access AccuDoc Solutions databases from September 22 to September 29, 2018.

An in depth forensic investigation of the breach confirmed the compromise of patient information. However, it was noted that the hacker could only view the information saved in its databases. The attacker did not download any data or distribute it using other channels.

AccuDoc Solutions reported that the cause of the breach was a third-party vendor’s security flaw, and so any business connection with the vendor was terminated. AccuDoc Systems secured its systems to block the hackers’ access. and further improved its security procedures to protect against future attacks.

Atrium Health pointed out the compromised data only included the patients’ names, addresses, service dates, invoice numbers, account balances and medical insurance details. The Social Security numbers of about 700,000 people were also compromised. But no other sensitive financial data or healthcare records were exposed.

Atrium Health’s spokesperson stated that all patients and guarantors potentially affected by the breach were notified. In addition, Cybersecurity is very important and so they are taking steps to find out what really happened and to prevent similar incidents in the future. Even if just one record was accessed, that is unacceptable because we expect to protect the privacy of all information of our patients.

Atrium Health is currently informing all patients affected by the breach and offering them credit monitoring and identity theft protection services. AccuDoc has about 50 other healthcare providers; nonetheless the breach only affected one more client: Baylor Medical Center located in Frisco, TX. About 40,000 of its patients were impacted.

According to the approximated number of people affected, this is the biggest healthcare data breach since September 2016 when Newkirk Products Inc. reported to OCR its 3,466,120-record breach. This healthcare data breach is the eleventh largest since 2009 when OCR began posting breach summaries.

  1. Largest Ever Healthcare Data Breaches
  2. Anthem Inc. – 78,800,000-records breach – February 2015
  3. Premera Blue Cross – 11,000,000-records breach – March 2015
  4. Excellus Health Plan, Inc. – 10,000,000-records breach – September 2015
  5. Science Applications International Corporation – 4,900,000-records breach – November 2011
  6. University of California, Los Angeles Health – 4,500,000-records breach – July 2015
  7. Community Health Systems Professional Services Corporation – 4,500,000-records breach – August 2014
  8. Advocate Health and Hospitals Corporation, dba Advocate Medical Group – 4,029,530-records breach – August 2013
  9. Medical Informatics Engineering – 3,900,000-records breach – July 2015
  10. Banner Health – 3,620,000-records breach – August 2016
  11. Newkirk Products, Inc. – 3,466,120-records breach – August 2016
  12. AccuDoc Solutions Inc. – 2,650,000-records breach – November 2018
  13. 21st Century Oncology – 2,213,597-records breach – March 2016