Atrium Health disclosed a significant data breach that affected 585,000 individuals, prompting the company to notify the US Department of Health and Human Services (HHS). During an internal investigation, it was discovered that from January 2015 to July 2019, certain online tracking technologies were active on the MyAtriumHealth Patient Portal. These tracking tools, designed to enhance user experience, may have inadvertently transmitted personal information to third-party vendors such as Google and Meta. While the tracking was disabled in July 2019, a recent review revealed the historical use of these tools, leading Atrium Health to notify users.
As it remains unclear what specific data may have been transmitted, Atrium Health is taking a precautionary approach by informing all users who accessed the portal during the affected period. The potential impacts of the breach can vary depending on factors such as the users’ browsers, cookies, and third-party account activities.
Atrium Health has stated that they are continuing to investigate the incident to understand the full extent of the breach and ensure such vulnerabilities are addressed to prevent future occurrences.
The potential exposed data in the Atrium Health breach includes IP addresses, third-party identifiers/cookies, and in some cases, information about a patient’s treatment or provider if included in a URL or button text. Additionally, if users filled out forms, data such as names, email addresses, phone numbers, home addresses, and gender may have been shared with third-party vendors. However, Atrium Health has confirmed that no Social Security numbers, financial accounts, or credit/debit card information were affected.
Atrium Health assured that there is no evidence of any misuse of the shared information. They also stated that the nature of the potentially collected information is unlikely to result in identity theft or financial harm.
Atrium Health recently disclosed another incident in April 2024, where attackers accessed employee email accounts via phishing attacks. These compromised accounts contained sensitive information on patients and employees, including Social Security numbers, bank account details, access credentials, and treatment/diagnosis information . Affected individuals were notified in September 2024 .
Additionally, in November 2018, Atrium Health suffered another data breach when hackers accessed patients’ personal information after compromising the technology solutions provider AccuDoc . This breach involved personal information such as names, addresses, dates of birth, and insurance details.
