Phishing Email May Have Impacted Personal Information

Potentially Affected Individuals Being Notified

CHARLOTTE, N.C., Sept. 13, 2024 – Atrium Health is sending notifications to a subset of its patients and employees who may be potentially impacted by the effects of a malicious email sent to some of the health system’s employees. On April 29, 2024, the system learned that an unauthorized third party had gained access to a limited number of employee email accounts through “phishing.” Phishing occurs when an email looks like it is from a trustworthy source, but instead is a malicious email designed to mislead the recipient into sharing information or providing access to their account login information.

Atrium Health immediately began an investigation, taking the necessary steps to secure the affected accounts and confirmed the unauthorized third party had no further access. It also engaged a third-party forensics firm to assist with its investigation and notified law enforcement. Based on the findings from the investigation, it appears the unauthorized party had access to the affected account for a short time between April 29-30.

The forensic examination of the affected accounts was completed July 17, 2024. Not all of Atrium Health’s patients or employees were impacted, only those whose information happened to be in the email and/or files included in the affected employees’ accounts.

It is not possible to conclusively determine whether the unauthorized party actually viewed any emails or attachments contained in the email accounts. Findings indicate the activity of the unauthorized third party was not focused on medical or health information content in the employee email boxes. Importantly, Atrium Health’s electronic medical record systems are separate from its email system and were not affected by this incident.

Atrium Health is unaware of any attempted or actual misuse of patient or personal information and there is no evidence any personal information was viewed as a result of the phishing attack. However, the health system is mailing notification letters to patients and employees whose personal information could have potentially been exposed in the incident and posting a notice on its website explaining what took place and apologizing that the incident occurred.

Information which may have been accessible includes: an individual’s first and/or last name; middle initial; street address, email address and/or phone number(s); Social Security number; date of birth; medical record number; driver’s license or state-issued identification number; certain government or employer identifiers; bank or financial account numbers or information, including routing numbers, financial institution name, security code/PIN and/or expiration date; treatment/diagnosis, prescription, health insurance and/or treatment cost information; patient identification number; health insurance account or policy number(s); incidental health references; billing identification numbers; access credentials; and/or digital signatures.

Individuals whose personal information was noted in the data involved are being offered complimentary credit monitoring and identity protection services.

Patient safety, privacy and security are regarded as Atrium Health’s highest priorities. It promptly engaged its internal and external legal teams, as well as its security teams to further examine what took place. It is continuing to evaluate and enhance security controls, as appropriate, to minimize the risk of similar incidents in the future and is providing additional phishing training and education to its employees.

A call center where people can get additional information or ask questions about the phishing incident is available at 866-997-1986, Monday through Friday from 9:00 a.m. to 6:30 p.m. Eastern Time, excluding major U.S. holidays. People may also visit https://atriumhealth.org/dataincident.