GUEST ESSAY: Atrium Health data breach highlights lingering third-party exposures

By Jonathan Simkins

The healthcare industry has poured vast resources into cybersecurity since 2015, when a surge of major breaches began.  While the nature of these breaches has evolved over the last four years, the growth in total healthcare incidents has unfortunately continued unabated.

Related: How to get off of HIPAA’s hit list

The recent disclosure from Atrium Health that more than 2.65 million patients had significant amounts of PII exposed by the healthcare provider’s third-party billing vendor, AccuDoc Solutions, shows the healthcare sector remains acutely vulnerable to attacks exploiting third-party contractors even as their first-party security posture hardens.

Atrium Health operates over 40 hospitals and almost 1,000 other healthcare facilities, primarily in North Carolina and South Carolina.  AccuDoc kept payment records from several Atrium Health locations.  A hacker accessed AccuDoc’s databases from September 22-29.

The compromised databases included names, addresses, dates of birth, insurance policy details, medical record numbers, account balances and dates of service — of both guarantors and patients.  Additionally, the Social Security numbers of about 700,000 patients were also exposed.

Weak links

The Atrium breach demonstrates how any third party in a company’s digital ecosystem can be the weak link that gives attackers a clear path to exposed data.  The fact that this incident is being labeled “the Atrium breach” in the media also shows where the reputational risk lies.


In early 2015, health insurer Anthem Inc. lost the personally identifiable information of up to 80 million individuals in a hack that began with phishing e-mails sent to a handful of its employees.  Community Health Systems and Premera Blue Cross and numerous other healthcare entities were similarly breached in 2015, and many of those organizations paid heavy fines for HIPAA violations.

That was followed by a wave of successful ransomware attacks in which attackers targeted healthcare patient data, encrypted that data, and then demanded a ransom to supply a decryption key.

Sticky problem

Since those attack surges, the healthcare industry has done much to defend direct data breaches, and to repel ransomware attacks.  Unique among major industry sectors, healthcare companies suffer more insider breaches than breaches originating externally, perhaps demonstrating the success the industry has had in hardening its perimeters.

However, third-party exposures remain a sticky problem for healthcare companies, as the Atrium breach shows.  Supply chain attacks are more similar to insider threats as they also look to exploit a trusted relationship, and in an environment where it is becoming increasingly difficult to attack large healthcare providers directly, malicious activity will naturally shift to where it is more successful.

This Achilles’ heel is exacerbated by healthcare organizations long-standing reliance on an ecosystem of third parties to provide services.  From billing and payment vendors, to legal services and cloud providers, businesses in the healthcare industry outsource non-core business functions to remain competitive and place PHI they are responsible for protecting in the trust of ever more third parties.

Risk-based approach

Healthcare providers must therefore take the time to apply a risk-based approach to ensuring their partners have the right security controls in place before they share that data.  Too often, organizations conduct that assessment after the fact, or worse, don’t properly identify which third parties create the most business exposure, making it impossible to apply the proper level of due diligence until it’s too late.

It is critical for Atrium Health, and other organizations regardless of size or industry, to gain a better understanding of which of their third parties pose the biggest risk to their data.  Without an up-to-date and validated cyber assessment of each data custodian located within the supply chain, it’s not possible to have confidence in the safety of patient information.

About the essayist: Jonathan Simkins is chief financial officer at CyberGRX , a supplier of cyber risk management systems.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone