What happened in the Atrium Health data breach?

Atrium Health reported a data breach affecting 585,000 individuals through their MyAtriumHealth Patient Portal. Online tracking technologies active between January 2015 and July 2019 inadvertently transmitted personal information to third-party vendors including Google and Meta.

What types of information were potentially exposed?

The exposed data potentially included IP addresses, third-party identifiers and cookies, treatment information, provider information, names, email addresses, phone numbers, physical addresses, and gender information when entered in forms. No Social Security numbers, financial accounts, or credit/debit card information were compromised.

What previous security incidents has Atrium Health experienced?

Atrium Health experienced two previous breaches: a phishing attack in April 2023 that compromised employee email accounts containing sensitive information, and a November 2018 data breach through their technology solutions provider AccuDoc.

Incident

Atrium Health reports another data breach impacting 585k people

Q: How did the tracking technologies affect different users?

The impact varied based on factors including browser choice, cookie settings, whether users had accounts with the third-party vendors, and their specific actions on the platform. Atrium Health claims there is no evidence of misuse and believes the nature of the exposed data makes identity theft or financial harm unlikely.

published: Dec. 6, 2024

Learn More

Atrium Health is reporting a data breach affecting 585,000 individuals through their MyAtriumHealth (formerly MyCarolinas) Patient Portal. The breach is caused by online tracking technologies that were active between January 2015 and July 2019. These tracking tools, which were intended to improve user experience, inadvertently transmitted personal information to third-party vendors including Google and Meta (formerly Facebook).

The breach was discovered during a recent review of historical technology usage on their patient portal systems. While the tracking technologies were disabled in July 2019, the company determined it necessary to notify all users who accessed the portal during the affected period due to the uncertainty about specific data transmission patterns.

Potentially exposed data includes:

IP addresses
Third-party identifiers and cookies
Treatment information (if included in URLs or button text)
Provider information (if included in URLs or button text)
Names (if entered in forms)
Email addresses (if entered in forms)
Phone numbers (if entered in forms)
Physical addresses (if entered in forms)
Gender information (if entered in forms)

The company explicitly claims that no Social Security numbers, financial accounts, or credit/debit card information were compromised in this incident.

The impact on individuals varied based on several factors, including their browser choice, cookie settings, whether they had accounts with the third-party vendors, and their specific actions on the platform. Atrium Health claims that there is no evidence of misuse of any shared information and believes the nature of the exposed data makes identity theft or financial harm unlikely.

This incident follows two previous security breaches at Atrium Health:

In April 2023, the organization experienced a phishing attack that compromised employee email accounts containing sensitive patient and employee information
In November 2018, they suffered a data breach through their technology solutions provider AccuDoc

Atrium Health reports another data breach impacting 585k people

Read More
Rehabilitation Hospital of Southern New Mexico reports data …
Midwives of Windsor patient data breach
Bay Area Community Health patient data exposed in …
Summit Pathology reports data breach exposing 1.8M patients
Multnomah County Health Center reports data breach caused …