Miscreants gained access to US healthcare billing vendor AccuDoc Solutions' database for about a week in September, exposing the data of at least 2.65 million people.
North Carolina-based Atrium Health, a customer of AccuDoc Solutions, this week said it had been affected by the breach. The firm operates 44 hospitals across North Carolina, South Carolina and Georgia, as well as urgent care centres and other practices.
In a statement, Atrium Health said a third party had gained access to AccuDoc's databases for a week (22-29 September), "through a website for an unrelated client".
Atrium Health – which repeatedly emphasised its innocence – said AccuDoc had terminated unauthorised access as soon as the breach was identified, closed off the compromised path and rebuilt the affected database.
However, the intruder still gained access to information on 2.65 million patients who use Atrium Health's services, with the firm saying "even one record accessed is one too many".
Information that the hacker had access to included names, addresses, dates of birth, insurance policy information, medical record numbers, account balances and dates of services.
In about 700,000 cases, it also included social security numbers, Atrium Health said – these people will be offered free identity monitoring services.
It did not include any financial details or medical records and the company stressed an investigation had confirmed that although data was accessed, none was downloaded.
An FAQ statement, posted on the website of corporate fraud investigation firm Kroll, said Atrium was told about the incident on 1 October, but didn't tell patients until after an initial investigation.
"Cybersecurity investigations can be very complicated and it was important that we accurately understood what happened and properly identified who was affected," the statement said.
"Both AccuDoc and Atrium Health engaged their own forensic investigators to review the incident and alerted the Federal Bureau of Investigation (FBI)."
AccuDoc provides billing services – such as preparing paper statements and operating a website for patients to pay for services – to various healthcare providers.
Local press reported that AccuDoc's general counsel, Kenneth Perkins, said one other customer, Baylor Medical Center in Texas, was affected, with potentially 40,000 people's records exposed.
The Charlotte Observer reported that Perkins had said "anything is possible" when asked whether the breach might have affected more people.
"We've tried to take the high road and (notified) everybody and be good stewards.... We take health care privacy very seriously."
The Register has contacted AccuDoc for confirmation that the breach affected just these two customers. ®
Sponsored: Putting the Sec into DevSecOps