Attack on Billing Vendor Results in Massive BreachAtrium Health Says Attack on AccuDoc Affected 2.65 Million Individuals
North Carolina-based Atrium Health is notifying 2.65 million individuals of a data breach involving a cyberattack on databases hosted by a third-party billing vendor, AccuDoc. If details are confirmed by federal regulators, the incident would be the largest health data breach reported so far in 2018.
In a statement issued Tuesday, Charlotte, N.C.-based Atrium Health - formerly called Carolinas HealthCare System - says certain databases containing billing information belonging to it and its managed locations may have been targeted in the attack on AccuDoc, which provides billing and other services for healthcare providers, including Atrium Health.
AccuDoc did not immediately respond to an Information Security Media Group inquiry about whether any of the vendor's other clients were impacted by the cyberattack.
Both AccuDoc and Atrium Health have been in contact with the FBI about the incident, Atrium says.
Atrium says that based on an extensive forensic review of AccuDoc's systems, it appears that an unauthorized third party gained access to AccuDoc's databases between Sept. 22 and Sept. 29. AccuDoc informed Atrium Health on Oct. 1.
"The forensic investigations indicate that the information was not removed from AccuDoc's systems. In addition, Atrium Health's core systems and those of its managed locations are separate from AccuDoc's systems and were not involved in this incident," Atrium's statement says.
Atrium says information that may have been accessed includes certain personal information about patients and guarantors - those responsible for paying a patient's bill. That information may have included name, home address, date of birth, insurance policy information, medical record number, invoice number, account balance and dates of service.
An Atrium spokesman tells ISMG the impacted data also included about 700,000 Social Security numbers.
Personal clinical and medical records were not involved, nor was financial account information, such as bank account numbers or credit card or debit card information, Atrium says.
The databases accessed by the unauthorized third party contained information provided in connection with payment for healthcare services at certain Atrium Health locations, including Blue Ridge HealthCare System, Columbus Regional Health Network, New Hanover Regional Medical Center Physician Group, Scotland Physicians Network and St. Luke's Physician Network, Atrium says.
Those impacted are being offered free credit monitoring. "It is very important to understand that the data was accessed but not downloaded in this incident," the Atrium spokesman says.
"We are monitoring the situation closely. AccuDoc has enhanced their security measures, closed off the comprised path, and we have notified the patients and guarantors who may have been impacted by this incident," he says. "We take cybersecurity very seriously, and you can be sure we've worked very hard to determine exactly what happened, and how to prevent it from happening again."
Prior to the revelation of the Atrium breach, the largest breach so far posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website this year was reported in July by Iowa Health System, which operates under the name UnityPoint. That incident, which involved a phishing attack, impacted 1.4 million individuals.
Commonly called the "wall of shame", the HHS' Office for Civil Rights' website lists health data breaches impacting 500 or more individuals.
Vendor Risk Management
Some experts say the AccuDoc breach spotlights the serious potential risks for healthcare entities involving attacks on their vendors.
"This incident just underscores the magnitude of breaches where aggregators of multiple healthcare entities' data are involved," says Mac McMillan, president of security consulting firm CynergisTek. "Due diligence should be heightened for these vendors with respect to the active protections they employ around their computing environments/applications."
Security experts also note that organizations can take steps to help mitigate the risks posed by hacks of third-party vendors.
"To the extent possible, it is important to conduct some kind of risk assessment of third- party vendors at the time their products or services are being evaluated," says Keith Fricke, principle consultant at tw-Security. "It is not enough to only sign a business associate agreement."
While AccuDoc, which provides technology services to more than 50 hospitals and healthcare systems, mostly in eastern U.S., has not yet commented on whether other clients were also impacted in the cyberattack, it's conceivable that other entities were also affected, Fricke notes.
"It depends on the scope of the exposure. If AccuDoc maintains its systems in a way where all its customers use the same database and has logical access controls for data, then yes, it is possible that all its customers experienced the same exposure," he says. "On the other hand, if AccuDoc maintains a separate instance of its product for each customer, it is possible that only Atrium Health's instance was exposed."
Other health data breaches this year have involved third-party vendors.
For instance, in August, Lafayette, Louisiana-based Acadiana Computer Systems, which operates ACS Medical Business Solutions, said it became aware in July that an employee's email account had been accessed by an unauthorized individual.
That hacking attack targeting the revenue cycle management software and services vendor impacted more than 31,000 patients at 11 healthcare organizations.