Please note the correction at the bottom of this post.
Researcher Jeremiah Fowler recently discovered an unsecured database with protected health information (PHI) that appeared to be linked to Atrium Health in North Carolina. As reported at WebsitePlanet, there were 21,344 records with a total size of 6.99 GB. The database appeared to be an FTP storage database. Fowler reports:
The PDF documents’ metadata indicated that these were “Software Billing and Compliance Reports” belonging to a medical software company, and contained a detailed analysis and key metrics related to medical billing and healthcare services provided. I immediately contacted that company and provided the details of my discovery. They indicated that they did not own or manage the database and that it was a customer using their electronic health record (EHR) system. Based on the information I provided, this medical software company was able to identify who the documents belonged to and notify that organization. Public access was restricted the same day.
To emphasize: the reports did not belong to the software firm.
Fowler subsequently found files in the exposed dataset that pointed to Atrium. When he contacted Atrium, he received a response: “Thank you for bringing this matter to our attention. We immediately launched an investigation to ensure the issue is resolved. – Advocate Health Cyber Security Team.” Advocate and Atrium had merged in 2022 to form Advocate Health.
As Fowler reports, he does not know if the database was owned and managed by Atrium Health directly or via a third-party contractor. He also does not know how long the database was exposed before he discovered it or if anyone else gained access to it. “Only an internal forensic audit could identify additional access or potentially suspicious activity,” he writes.
Fowler provides several redacted screenshots of the types of files he found exposed.
Read Fowler’s report at Website Planet.
In email communications with Fowler, DataBreaches learned that the exposed records appeared to be current records from 2024 and 2025 — not old or legacy data.
Unfortunately, he repeats older erroneous claims about the commercial value of a patient record. The reality is in that today’s market, patient data records do not command big prices unless someone is a celebrity or famous. Patient record data sets often contain scanned .pdf files which are rich in details but also less convenient for misuse purposes. As one result, many patient databases and data sets are getting leaked on the dark web because there are no buyers for them.
But patient records can cause harm other than financial fraud. They can lead to social stigmatization and may result in discriminatory rates or decisions when patients attempt to seek loans, apply for jobs, or interact on social media. All of these are real harms that may not be easy to calculate commercial value for.
Will HHS Investigate?
This situation clearly falls under HIPAA, although whether it is a reportable breach will depend, in part, on whether there are adequate logs to determine if any unauthorized IP addresses (other than Fowler) accessed or downloaded PHI for the entire period that the database was exposed. If the responsible entity can show no access by anyone other than Fowler, they could potentially argue that there has been no harm and therefore no need to notify patients. HHS might or might not agree. But even if they agree, it would not preclude HHS from investigating the incident and taking a deeper look as to whether the responsible entity had an adequate risk assessment and appropriate security controls consistent with the HIPAA Security Rule.
In recent press releases by HHS OCR about their investigations of data security incidents, OCR has recommended that health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:
- Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
- Integrate risk analysis and risk management into the organization’s business processes.
- Ensure that audit controls are in place to record and examine information system activity.
- Implement regular reviews of information system activity.
- Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
- Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
- Incorporate lessons learned from incidents into the organization’s overall security management process.
- Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.
Correction and Update of April 25, 2025:
DataBreaches received the following statement from an Atrium Health spokesperson:
Our cyber security team immediately launched an internal investigation upon receiving an email tip in mid-February 2025 about a possible data breach. Our investigation found that Carolina Anesthesiology, P.A., who regularly provides anesthesia services at select facilities, misconfigured the technology service used for billing data, exposing some of their patient data. We immediately shut down all data feeds to Carolina Anesthesiology and, as a courtesy, notified the regular governing entities. We continue to learn more from the Carolina Anesthesiology team about their plan to notify their patients of this breach. All data feeds remain off until this issue has been satisfactorily addressed.
A previous version of this post, based on the researcher’s statements, incorrectly claimed that the data were owned by Atrium Health. The post has been edited to remove such statements as it appears the data was not owned by them and DataBreaches apologizes for that error.