Atrium Health has revealed that it may be the victim of a large-scale data breach.
The hospital network which was previously known as Carolinas HealthCare System, said that approximately 2.65 million patients may have been impacted in an incident that could lead to countless items of sensitive data being exposed through its third-party provider, AccuDoc Solutions, Reuters reports.
Speaking to ZDnet, Atrium Health said: “One record accessed is one too many”, in response to the intrusion which took place in September.
An unauthorised party managed to get into the databases concerned between September 22nd and September 29th to access records including addresses, around 700,000 US social security numbers, dates of birth, insurance policy information, service dates, medical record numbers, and account balances.
It is not believed that financial data, such as bank card details, is at risk.
The information compromised is traceable back to transactions conducted at an Atrium Health venue, as well as Atrium Health-operated locations including, Blue Ridge HealthCare System, Columbus Regional Health Network, NHRMC Physician Group, Scotland Physicians Network, and St. Luke’s Physician Network.
Atrium Health’s care and wellbeing network operates in North and South Carolina in west USA, and runs multiple hospitals, A&E rooms and healthcare programmes.
Despite conceding that the compromised data was accessed without permission, the not-for-profit organisation has underlined that its “forensic reports indicate the [user] was not able to actually download or remove the files”.
Separate from the Atrium Heath IT infrastructure, the servers vulnerable to the intrusion were operated by AccuDoc, which informed Atrium Health of the breach on the 1st October. Upon the discovery, the system weakness were isolated and shut down, the billing vendor was cut off and a forensics auditor was brought in to begin the recovery process.
The companies said that systems will continue to be monitored to look out for any “related activity”, adding:
“Atrium Health also reviewed its security safeguards and system activity, as well as engaged its own nationally recognized forensic investigative firm to conduct a thorough independent review of the incident.”
The FBI has also been notified, and the organisations at the centre of the situation claim that no data has been misused, but patients involved in the breach have been notified of proceedings. An offer of free credit-monitoring services will be extended to those data subjects whose social security numbers were compromised.
The inaugural Data Protection World Forum (DPWF) was held on November 20th & 21st 2018 at the ExCeL London and welcomed over 3,000 delegates seeking the very latest insight on data protection and privacy.
Pre-registration for DPWF 2019 will be opening in the coming weeks.