Atrium Health, one of the most prominent healthcare networks in North Carolina recently reported that more than two million of their patient’s data may have been leaked due to a cybersecurity breach they experienced.
If you are not familiar with Atrium Health, they were formerly Carolinas HealthCare System. They are a non-profit hospital network in North Carolina that operates hospitals, emergency centers, urgent care locations & doctor’s offices.
So, needless to say, any breach of a healthcare network is very serious and can have huge consequences for both the business and their patients.
When Did The Hack Happen?
The data breach happened due to AccuDoc, the company Atrium Health uses for billing & invoicing.
Unfortunately, over 2.6 million people’s data was leaked in the attack. And because this attack was focused on their billing vendor, no medical records were leaked.
The vendor AccuDoc was reported as saying that someone gained access to information between September 22nd, 2018 and September 29th before they secured the system, and any patients that had their data leaked will be notified.
Exactly What Data Was Leaked?
The total number of individuals who had data leaked is hard to pin down. However, based on various investigations, it looks like malicious actors gained access to a database with around 2.65 million records.
Of that 2.65 million, around 700,000 had their social security number leaked. However, some reports claimed data was accessed but not downloaded. That means that some of these users may be safe because the data was not downloaded for further viewing.
The team at Atrium Health started monitoring the situation closely after they discovered the breach happened. On top of close monitoring, AccuDoc, the vendor responsible for the breach, has reportedly increased its security measures and fixed the method that hackers used to gain access to their system.
Again, this incident did not involve Atrium Health’s systems. However, in today’s environment, we are constantly evaluating and evolving our systems to protect patient information. To that end, we have also reviewed our systems to ensure we’re armed against similar attempts. We take cybersecurity very seriously, and we’ve worked very hard to determine exactly what happened, and how to prevent it from happening again, an Accudoc spokesperson said.
The Infiltration Was Limited, Luckily
Luckily, the systems at Atrium Health were not directly integrated with those at AccuDoc. That means that all of Atrium’s locations and data were not leaked during the compromise.
However, the data leaked included name, address, date of birth, insurance policy numbers, invoice numbers, account balances, and social security numbers as we stated earlier. The team at AccuDoc has notified all those whose data was leaked in writing and set up a toll-free number to answer questions and provide help.
For those who had their social security numbers leaked, AccuDoc has set up free credit monitoring services. This will help protect social security numbers from being used by malicious actors to open credit cards or other accounts.
AccuDoc & Atrium Health were quoted: “Individuals should monitor their account statements, bills, notices, and insurance transactions for incidents of unauthorized activity, and contact Atrium Health with any questions or concerns,” officials said. “We deeply regret the incident that occurred regarding AccuDoc’s databases, and we apologize for any inconvenience.”
More About AccuDoc and Their Relationship With Atrium
The billing & processing company AccuDoc serves about 50 clients, but luckily none of their other healthcare clients had data leaked during this incident.
However, it doesn’t look good for the company. This is due to the breach being the biggest data leak in a healthcare organization in 2018, and the 11th biggest breach of healthcare data ever seen. When Atrium was asked if they would retain the services of AccuDoc in the future they were quoted as saying, “Our focus right now is on this cyber incident.”
When Was Atrium Notified Of The Breach?
Atrium Health was told about the data breach at AccuDoc on October 1st. This is a few days after the breach took place, which was from September 22 – 29, 2018.
This is largely due to the complex nature of the investigations when it comes to cybersecurity. The team at AccuDoc retained the help of outside cybersecurity professionals and the FBI to better understand the incident. Even if a business has an internal cybersecurity team, this is often a common process.
The fact that the system was entered we believe obligates us to go ahead and — out of an abundance of caution — notify any patient or guarantor who could have been in that database, a representative said.
This case outlines why you need to know the security setup of the vendors you use. The issues with your vendor’s security can affect your business, customers, and bottom line. So before you retain a vendor for a mission-critical task like billing or data storage, you should put some time into questioning their security protocols and methods. And with cybersecurity attacks increasing in both complexity and frequency, this is an issue many if not all businesses will have to deal with over the coming decade.
What Do You Need To Ask Your Vendors?
There are several important questions you need to ask, including:
What are some basic cybersecurity measures you practice? “The first and most basic practice your vendor should follow is to stop the bleeding. By this, I mean to secure their network with the best VPNs, use a firewall, and regularly back-up sensitive data,” says Daniel Kinsella of Privacy Australia. “In 2019, VPN services are no longer a luxury, it’s a necessity.” Vendors should make sure to use a VPN which a strict no-logging policy, such as NordVPN.
Do they have internal cybersecurity staff or just third-party vendors? This can give you further insight into their priority of cybersecurity. While it’s not bad to employ outside third-parties to handle cybersecurity, it’s important to have some internal staff also.
Have they had a hack or data breach before? This is important so you can assess their overall security, and how secure your data will be with the vendor.
What is their protocol for informing partners and customers of a data breach? You will want to know if a breach happens, what the protocol exactly is.
Asking the above kinds of questions to ensure that any vendors you use practice good cybersecurity measures will be well worth your time and effort to ask.
As a security analyst working in Beijing in 2008, I struggled to connect to basic websites like Facebook and Wikipedia (coincidentally, many more websites are banned in China today than were then). Naturally, I started looking for a solution. VPN services were, at the time, security tools used by large I.T. companies or cybersecurity professionals.