November 27, 2018 Notice
Unauthorized Access to Databases at Vendor May Have Involved Personal Information
AccuDoc Solutions, Inc. (“AccuDoc”) and Atrium Health announced that following an extensive internal investigation, Atrium Health has reported possible unauthorized access to databases hosted by AccuDoc that contained personal information provided in connection with payment for health services at an Atrium Health location (formerly Carolinas HealthCare System) and at locations managed by Atrium Health, including Blue Ridge HealthCare System, Columbus Regional Health Network, NHRMC (New Hanover Regional Medical Center) Physician Group, Scotland Physicians Network, and St. Luke’s Physician Network (collectively, “Managed Locations”). AccuDoc is a vendor that provides billing and other services to healthcare providers, including Atrium Health.
As soon as AccuDoc discovered the incident, it immediately terminated the unauthorized access, engaged a forensic investigator, and took steps to secure its affected databases and enhance its security controls. AccuDoc continues to monitor its systems for any additional related activity. AccuDoc informed Atrium Health of the incident on October 1, 2018. Atrium Health takes this matter very seriously and engaged its own nationally-recognized forensic investigator to conduct an independent review of the incident. Atrium Health also reviewed its security safeguards and remains vigilant for similar types of incidents. Both AccuDoc and Atrium Health have been in contact with the Federal Bureau of Investigation (FBI).
Following an extensive forensics review, it appears that an unauthorized third party gained access to AccuDoc’s databases between September 22, 2018 and September 29, 2018. Based on the review, the information that may have been accessed included certain personal information about patients and guarantors (a person who is responsible for paying a patient’s bill), including first and last name, home address, date of birth, insurance policy information, medical record number, invoice number, account balance, and dates of service. For some individuals, the personal information may also have included Social Security numbers.
Please note that it does not appear that any personal information was taken from AccuDoc’s systems and, to date, we are not aware of any misuse. In addition, no financial account numbers or credit or debit card numbers were involved in the incident, nor were clinical information or medical records. Importantly, Atrium Health’s own systems and those of its Managed Locations were not affected by this cyber incident.
Individuals should monitor their account statements, bills, notices, and insurance transactions for incidents of unauthorized activity, and contact Atrium Health with any questions or concerns. We are also providing additional information about general steps individuals can take to protect their information in the below Reference Guide. Atrium Health is offering credit monitoring to those whose Social Security numbers were potentially accessed.
Individuals affected by this incident are being mailed notices. Since it is possible, however, that we may have insufficient contact information for some individuals, we are posting this notice on our website as permitted by HIPAA.
For the next 90 days, individuals may call a toll-free number at 1-833-228-5726 and visit a website at www.krollfraudsolutions.com/accudocincident to ask questions and learn additional information. This toll-free number is open Monday through Friday, 9:00 AM to 6:00 PM Eastern Time. This substitute notice and toll-free number will remain active for at least 90 days.
We deeply regret the incident occurred regarding AccuDoc’s databases, and we apologize for any inconvenience. Thank you.
Review Your Account Statements
Carefully review statements sent to you from providers as well as from your insurance company to ensure that all of your account activity is valid. Report any questionable charges promptly to the provider’s billing office, or for insurance statements, to your insurance company.
Provide any updated personal information to your health care provider
Your health care provider’s office may ask to see a photo ID to verify your identity. Please bring a photo ID with you to every appointment if possible. Your provider’s office may also ask you to confirm your date of birth, address, telephone, and other pertinent information so that they can make sure that all of your information is up-to-date. Please be sure and tell your provider’s office when there are any changes to your information. Carefully reviewing this information with your provider’s office at each visit can help to avoid problems and to address them quickly should there be any discrepancies.
Order Your Free Credit Report
To order your free annual credit report, visit www.annualcreditreport.com, call toll-free at (877) 322-8228, or complete the Annual Credit Report Request Form on the U.S. Federal Trade Commission’s (“FTC”) website at www.ftc.gov and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. The three credit bureaus (Equifax, Experian and TransUnion) provide free annual credit reports only through the website, toll-free number or request form.
Upon receiving your credit report, review it carefully. Errors may be a warning sign of possible identity theft. If you see anything you do not understand, call the credit bureau at the telephone number on the report. You should notify the credit bureaus of any inaccuracies in your report, whether due to error or fraud, as soon as possible so the information can be investigated and, if found to be in error, corrected. If there are accounts or charges you did not authorize, immediately notify the appropriate credit bureau by telephone and in writing. Information that cannot be explained should also be reported to your local police or sheriff’s office because it may signal criminal activity.
Contact the U.S. Federal Trade Commission
If you detect any unauthorized transactions in any of your financial accounts, promptly notify the appropriate payment card company or financial institution. If you detect any incidence of identity theft or fraud, promptly report the matter to your local law enforcement authorities, state Attorney General and the FTC. You can contact the FTC to learn more about how to protect yourself from becoming a victim of identity theft by using the contact information below:
Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW Washington, DC 20580, 1-877-IDTHEFT (438-4338), www.ftc.gov/idtheft/
Place a Fraud Alert on Your Credit File
To protect yourself from possible identity theft, consider placing a fraud alert on your credit file. A fraud alert helps protect against the possibility of an identity thief opening new credit accounts in your name. When a credit grantor checks the credit history of someone applying for credit, the credit grantor gets a notice that the applicant may be the victim of identity theft. The alert notifies the credit grantor to take steps to verify the identity of the applicant. You can place a fraud alert on your credit report by calling any one of the toll-free fraud numbers provided below. You will reach an automated telephone system that allows flagging of your file with a fraud alert at all three credit bureaus.
You have the right to put a security freeze, also known as a credit freeze, on your credit file free of charge, so that no new credit can be opened in your name without the use of a PIN number that is issued to you when you initiate a freeze. A security freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. If you place a security freeze, potential creditors and other third parties will not be able to get access to your credit report unless you temporarily lift the freeze. Therefore, using a security freeze may delay your ability to obtain credit.
Unlike a fraud alert, you must separately place a security freeze on your credit file at each credit bureau by contacting the credit reporting agency by phone, mail, or secure electronic means and providing proper identification to verify your identity. The following information must be included when requesting a security freeze: (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue.
Below, please find relevant contact information for the three consumer reporting agencies:
Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348
Experian Security Freeze
P.O. Box 9554
Allen, TX 75013
P.O. Box 2000
Chester, PA 19016
Once you have submitted your request, the credit reporting agency must place the security freeze no later than 1 business day after receiving a request by phone or secure electronic means, and no later than 3 business days after receiving a request by mail. No later than five business days after placing the security freeze, the credit reporting agency will send you confirmation and information on how you can remove the freeze in the future.
Residents of North Carolina: As required by law, you may also obtain information about preventing and avoiding identity theft from the North Carolina Attorney General’s Office: North Carolina Attorney General’s Office, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, 1-877-5-NO-SCAM, www.ncdoj.gov.