Cyber Incident Victim: Atrium Health
Date:
Sep 2018
Location:
United States of America
Summary
A cybersecurity incident involving Atrium Health's third-party billing vendor, AccuDoc Solutions, potentially exposed personal data of approximately 2.65 million patients and guarantors. Unauthorized access to the vendor's systems occurred over a week-long period, compromising information such as names, addresses, birth dates, insurance details, medical record numbers, and Social Security numbers for some individuals. While the investigation confirmed data access, no evidence indicated information was downloaded or misused, and no financial account numbers or clinical records were affected. The breach impacted multiple healthcare networks affiliated with the organization, though specific financial or medical data remained secure throughout the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Atrium Health breach originated from unauthorized access to systems operated by its third-party billing vendor, AccuDoc Solutions. Between September 22 and September 29, 2018, an external actor compromised AccuDoc's databases, potentially exposing information related to approximately 2.65 million patients and guarantors. Atrium Health, headquartered in Charlotte, North Carolina (formerly Carolinas HealthCare System), was notified of the incident by AccuDoc on October 1, 2018. The health system promptly initiated a forensic investigation to determine the scope and nature of the intrusion. The review confirmed that the attacker had accessed—but not demonstrably exfiltrated—personal and billing data during the seven-day window. Exposed information included names, addresses, dates of birth, insurance policy details, medical record numbers, invoice numbers, account balances, and dates of service. Social Security numbers were compromised for a subset of individuals, though no financial account numbers, payment card details, clinical records, or medical histories were involved.
The breach impacted not only Atrium Health’s primary operations but also several affiliated regional healthcare networks under its management. These included Blue Ridge HealthCare System, Columbus Regional Health Network, New Hanover Regional Medical Center Physician Group, Scotland Physicians Network, and St. Luke’s Physician Network. Atrium Health’s public statement emphasized that forensic analysis found no evidence of data theft or subsequent misuse, though the sheer volume of potentially affected individuals positioned it among the largest healthcare breaches of 2018. The organization directly notified all individuals whose information was involved and underscored that AccuDoc’s systems did not contain clinical care data. No operational disruptions to medical services were reported as a result of the incident, and Atrium Health maintained that no financial fraud or identity theft incidents linked to the breach had been identified at the time of disclosure.