Atrium Health has reported a massive data breach exposing the PII of more than 2.6 million clients after someone gained access to a database belonging to a third-party vendor.
The North Carolina-based healthcare provider stated that AccuDoc Solutions, a vendor providing billing and other services, had informed Atrium on October 1 that an unauthorized person had gained access to its database between September 22-29, 2018. The information exposed came from patients and payment guarantors and included first and last name, home address, date of birth, insurance policy information, medical record number, invoice number, account balance, and dates of service and for some people Social Security numbers.
About 700,000 of the 2.65 million records exposed contained Social Security numbers, Atrium told The Charlotte Observer.
Atrium does not believe any of the information was removed from the database, but the company is recommending those affected, who are being notified by mail, should monitor their accounts and bills for malicious activity.
Exactly how access was gained was not released, but the database has since been locked down.
Industry experts reiterated that organizations have to take an active role in managing their third party vendors in order to help avoid these breaches.
“Most vendor risk management (VRM) audits include a survey of physical and information security tools, training and practices including identity verification and authentication of vendor employees and their contractors who have access to client data, on-boarding, off-boarding, and access control list procedures. Such audits are important for product and service vendors, but VRM is especially critical when using SaaS vendors,” John Callahan, CTO of Veridium told SC Media.
Sherban Naum, Bromium’s Sr. VP for corporate strategy and technology, believes an entirely new approach needs to be instituted to mitigate risk, one that isolates high-value asset form potentially vulnerable endpoints and networks.
“If access to the high value applications storing sensitive data were protected in a hardware-enforced virtual environment, the hacker wouldn’t have been able to see or access the data from the compromised machines or networks and no data would have been obtained,” he said.
The Charlotte Observer cited an Accudoc general counsel Kenneth Perkins saying the number of affected people could rise, but since the entire database was impacted by this breach he did not believe any increase would be significant.
The records involved were associated with patients who used Atrium Health location (formerly Carolinas HealthCare System) and at locations managed by Atrium Health, including Blue Ridge HealthCare System, Columbus Regional Health Network, NHRMC (New Hanover Regional Medical Center) Physician Group, Scotland Physicians Network, and St. Luke’s Physician Network, the company said.