Phishing Attack at Atrium Exposes PHI

Atrium Health, a hospital network located in Charlotte, North Carolina, has notified patients that an unauthorized third party had accessed the PHI they maintain. Atrium Health is responsible for the operations of various healthcare providers, including 40 hospitals and more than 30 urgent care centers. The hospital network believes the breach to have occurred as a result of a phishing attack whereby hackers had gained access to the business email and messaging account of an employee. Upon detection, a thorough investigation was immediately conducted. Atrium Health believes the unauthorized third party had gained access to the information between April 7, 2022 and April 8, 2022. The information accessed consisted of various individually identifiable personal information. This included name, address, date of birth, health insurance and medical information, Social Security number, and state ID. 

Atrium Health promptly took immediate action to limit harm caused by the exposure of PHI. The network reset the user password of the account to ensure no further activity could take place and notified law enforcement. In addition, improved security controls were implemented along with comprehensive training regarding phishing attacks. 

Atrium Health has said they will be issuing notification letters via email to the potential individuals affected by the attack. The notification letters will provide information detailing the practices the affected individuals can take to protect themselves against identity theft and fraud. The practices include regularly monitoring credit reports, accounts, and benefit statements. Additionally, identity theft protection and free credit monitoring services are being offered to potentially affected individuals free of charge. Atrium Health has maintained that if a patient encounters suspicious activity, a notification should be issued along with a report of fraudulent activity to law enforcement. A dedicated phone line has been developed to assist individuals seeking guidance or have questions regarding the incident. 

The Charlotte-based hospital network insists that they are committed to upholding the privacy and security of the PHI they maintain. In a statement, the network has said, “Atrium Health Navicent takes its responsibility to safeguard personal information seriously and apologizes for any inconvenience or concern this incident might cause”.