Atrium Health, a North Carolina-based non-profit hospital network, recently faced an email breach.
Atrium Health recently announced it had experienced a data breach related to a phishing email attack. According to their notice, published on September 13th, an unauthorized party gained access to several employee email accounts on April 29th, 2024.
Atrium said the attack was caused by phishing, which occurs when an email appears to come from a trustworthy source, but instead prompts the recipient to provide information for malicious purposes.
When Atrium Health discovered the breach, the network immediately began an investigation, enlisting the help of a third-party cybersecurity firm. The findings revealed the unauthorized party had accessed the affected account between April 29th and 30th.
Accessed information may have included names, addresses, email addresses and phone numbers, Social Security numbers, dates of birth, medical record numbers, driver’s license or state ID numbers, bank or financial information, treatment/diagnosis, health insurance information, and more related to individual’s financial and health information.
The hospital network is based out of Charlotte, North Carolina. Currently, it operates 40 hospitals, seven emergency departments, over 30 urgent care facilities, and 1,400 other care locations in North Carolina, South Carolina, Georgia, and Alabama.
Atrium Health completed the investigation on July 17th, but hasn’t yet revealed how many individuals were impacted. Only individuals connected to the impact employee email account were affected.
The network’s statement said they were unable to determine if the unauthorized party viewed any emails or attachments in the email accounts. “Findings indicate the activity of the unauthorized third party was not focused on medical or health information content in the employee email boxes,” the statement read.
Atrium Health’s electronic medical records are kept in a separate system and were not part of the breach. Currently, Atrium Health is not aware of any misuse of patient or personal information.
If the event impacted more than 500 individuals, Atrium Health will have 60 days to notify the Department of Health and Human Services of the breach. If the breach ultimately impacted less than 500 individuals, the breach will need to reported by the end of the year.
Other government agencies may also require notice, such as the Attorney Generals of states with impacted residents.
Cases like these also generally result in organizations evaluating their current safety practices and standards to prevent another breach. Considering the variety of data stolen, it’s also likely that Atrium Health will face backlash from victims who may find themselves more susceptible to fraud or identity theft. Atrium may face additional repercussions, like lawsuits, financial loss, and reputational damage.
Atrium Health last faced a data breach in 2018, when 2.65 million patients had their data stolen from Atrium’s database hosted by AccuDoc. At the time, Atrium Health contacted the FBI and vowed to enhance security controls.
The cybersecurity landscape is always evolving, and even organizations with a great track record of security must stay up to date with changes in best practices and security measures. With phishing attacks in particular, having automated protocols, like spam-filtering, can prevent a significant amount of attack attempts.
Related: HIPAA Compliant Email: The Definitive Guide