An unauthorized user accessed the personal information of as many as 2.65 million Atrium Health patients in September after getting into the systems of one of Atrium's third-party vendors.
While the user accessed Atrium Health information in databases of the vendor, AccuDoc Solutions, they did not download or remove the information, which included addresses, dates of birth, and Social Security numbers but not medical records or financial data.
"The fact that even one record was accessed is one too many," said Chris Berger, assistant vice president of corporate communications for Atrium Health, in a statement. "Our patients expect us to keep all of their information private, which is why we took action so quickly."
After AccuDoc, a billing vendor, told Atrium about the incident on Oct. 1, both organizations looked over their system activity to make sure data were secured. Atrium and AccuDoc each are reviewing the incident, which occurred between Sept. 22 and Sept. 29.
Breaches like this one, in which a hacker gains access to a large organization through one if its third-party vendors, are becoming more common, according to Bob Anderson, principal in the Chertoff Group's strategic advisory services practice. "The adversaries have figured out that it's much easier to just get the information they're looking for from a third party," Anderson said. Healthcare organizations therefore should vet not only their own but also their vendors' breach-response strategies.
Atrium Health may end up being only the first of several health systems affected by the breach to come forward.
"This could just be the tip of the iceberg," said Mac McMillan, co-founder and CEO of information security consulting firm CynergisTek. "When you have a third party that's essentially an aggregator of large amounts of patient information because they're holding and processing large amounts of patient information for multiple health systems, you could have a much bigger breach than you would of a single entity."
While the number of data breaches of healthcare provider organizations has actually gone down in 2018 compared with 2017, the number of breaches of business associates—that is, third parties—has risen 83%, according to HHS' Office for Civil Rights, which maintains the government's Breach Portal for healthcare data breaches.
Overall, data breaches classified as "unauthorized access/disclosure" by the OCR have been the most common in 2018, followed closely by breaches classified as "hacking/IT incident." Between the start of 2018 and the end of October, there were 306 breaches, compared to 298 in the same period of 2017.
The OCR does not take data breaches lightly. In October 2018, the office fined Anthem $16 million for a 2015 data breach that affected nearly 79 million people.
But that paled in comparison to the class-action lawsuit settlement Anthem reached Tuesday, after agreeing in 2017 to pay out $115 million to those whose data were breached in 2015.
As in that case, the fallout from the AccuDoc breach could be a class-action lawsuit, Anderson said. "These types of lawsuits are very much in vogue these days," he said.