Atrium Health, a major Charlotte, North Carolina hospital network, suffered a significant data breach affecting 2,650,000 patients through its billing services vendor AccuDoc Solutions Inc. The breach was discovered when AccuDoc notified Atrium Health on October 1, 2018, that some of its databases had been compromised. A forensic investigation established that unauthorized access had occurred between September 22 and September 29, 2018.

The root cause was a security vulnerability at a third-party vendor that AccuDoc itself relied upon for hosting services — making this a multi-tier supply chain breach. AccuDoc terminated its relationship with that vendor following the incident.

Exposed data for the 2.65 million affected patients included first and last names, home addresses, dates of birth, insurance policy information, medical record numbers, invoice numbers, account balances, and dates of service. Approximately 700,000 of those patients also had their Social Security numbers exposed. Notably, no clinical or medical records, bank account numbers, or payment card data were stored in the breached databases. Forensic investigators confirmed that data could only have been viewed — not downloaded — by the attackers, though the full extent of attacker access remained uncertain.

AccuDoc served approximately 50 healthcare provider clients; only one other client beyond Atrium Health was confirmed affected: Baylor Medical Center in Frisco, Texas, where approximately 40,000 patient records were exposed.

Atrium Health publicly disclosed the breach on November 27, 2018, and notified affected patients directly. The incident became one of the largest healthcare data breaches of 2018 and underscored the risks of downstream vendor dependencies — where a hospital’s business associate itself relies on yet another vendor whose security posture is not directly visible to the upstream healthcare organization. The breach drew attention to HIPAA business associate agreement obligations and the importance of evaluating the entire vendor chain, not just direct vendors.