Atrium Health, based in Charlotte, North Carolina, says hackers accessed two databases containing protected health information (PHI) for more than two million people that were held by AccuDoc Solutions Inc., a billing vendor.
The incident, which occurred between Sept. 22 and Sept. 29, also involved about 40,000 records from Baylor Scott & White Medical Center in Frisco, Texas, according to AccuDoc.
The total number of individuals affected— 2,650,537—makes this the largest breach listed on the HHS Office for Civil Rights breach reporting portal for the last 24 months.
The information that was accessed—but not downloaded, Atrium Health and AccuDoc officials both stress—included names, addresses, dates of birth and insurance policy information. For around 700,000 people, the information may have included Social Security numbers, officials from the two organizations say.
The incident occurred when an AccuDoc software vendor was hacked. That “then led to AccuDoc being hacked,” Chris Berger, Atrium Health assistant vice president for corporate communications, tells RPP. Still, he adds, “our forensics reports indicate they were not able to actually download or remove the files.”