By HFT Staff

Atrium Health recently identified a security incident that may have involved some patient information.  

On or about April 29, 2024, Atrium learned that an unauthorized third party gained access to some employee email accounts on that same day through “phishing.” Phishing occurs when an email looks like it is from a trustworthy source but is not. The malicious email misleads the recipient into sharing or providing access to their account login information. 

Atrium immediately began an investigation, took the necessary steps to secure the affected accounts and confirmed the unauthorized third party had no further access. They also engaged a forensic consultant to assist with the investigation and notified law enforcement. Based on their findings, it appears the unauthorized third party may have had access to the affected accounts for a short time from April 29 to 30. They confirmed the unauthorized third party did not access Atrium Health’s electronic health record systems. The forensic consultant’s analysis of the affected accounts, completed on July 17, 2024, indicates that the unauthorized party was not focused on email content pertaining to medical or health information.  

However, it was not possible to conclusively determine whether the third party actually viewed any emails or attachments contained in the affected accounts. As a result, with the assistance of the forensic consultant, Atrium conducted a review of the accounts to determine what information may have been accessible to the party. This information may have included one or more of the following: an individual’s first and/or last name; middle initial; street address, email address and/or phone number(s); Social Security number; date of birth; medical record number; certain government or employer identifiers; driver’s license or state-issued identification number; bank or financial account numbers or information, including routing numbers, financial institution name, or expiration date; treatment/diagnosis, provider name, prescription, health insurance or treatment cost information; patient identification number; health insurance account or policy number(s); incidental health references; billing identification numbers; access credentials; and/or digital signatures.  

Not all of Atrium Health’s patients were impacted, only those whose information happened to be in the files used by the affected employees’ accounts. Additionally, their electronic medical record systems are separate from their email accounts and were not affected by this incident.  

Atrium has no indication that anyone’s information was actually viewed by the unauthorized third party or that it has been misused. However, as a precaution, they are mailing notification letters to people whose information was identified through their review and for whom they have sufficient contact information.