Healthcare company Atrium Health has notified the US Department of Health and Human Services (HHS) that a recently discovered data breach impacts more than 585,000 individuals.
The HHS website does not provide any information regarding the incident, but the notification is likely related to an issue involving online tracking technologies that were present on an Atrium Health patient portal between 2015 and 2019.
“These commonly used internet technologies were utilized to help operate certain features of our Patient Portal and enhance the online experience for users. We have learned that, during this time frame, these technologies may have transmitted certain personal information to third-party vendors, such as Google and Facebook (now Meta),” Atrium told impacted individuals recently.
The company said an initial review of the tracking technologies, conducted in 2022, did not uncover any issues, but a more recent analysis of online technologies on the patient portal did reveal the possible exposure of information.
Atrium said it’s difficult to precisely determine what data was transmitted to third-parties, but it’s assuming that all users of the MyAtriumHealth or MyCarolinas patient portal between January 2015 and July 2019 are affected.
Depending on the user’s browser, configuration, and actions, information such as IPs, cookies, information on treatment or provider, names, email addresses, phone numbers, and physical addresses may have been exposed.
“Based on our review, no Social Security number, financial account, credit card or debit card information was involved,” Atrium pointed out, adding, “There is no evidence that any information that may have been shared with these third parties has been misused in any way. Moreover, the nature of the information that could have been collected would be very unlikely to result in identity theft or any financial harm.”
It’s worth noting that this is not the only cybersecurity incident disclosed by Atrium in recent months. In mid-September, the company notified a subset of patients and employees after discovering that over a period of two days in April someone had gained access to employee email accounts through phishing.
Advertisement. Scroll to continue reading.
An investigation showed that the compromised email accounts stored information on some patients and employees, including a wide range of personal, financial and health information, such as Social Security numbers, bank account information, access credentials, and treatment/diagnosis details.
SecurityWeek has reached out to Atrium Health for clarifications regarding which of these incidents impacted 585,000 people, but the healthcare company has not responded.
Atrium Health provides healthcare services at more than 1,400 care locations and 40 hospitals across several states.
Back in 2018, Atrium Health experienced a data breach that impacted 2.6 million patients.
Related: Other healthcare data breaches covered by SecurityWeek
Related: Two UK Hospitals Hit by Cyberattacks, One Postponed Procedures
Related: Bipartisan Legislation Seeks Stronger Healthcare Cybersecurity