Researcher Jeremiah Fowler recently discovered an unsecured database with protected health information (PHI) linked to Atrium Health in North Carolina. As reported at WebsitePlanet, there were 21,344 records with a total size of 6.99 GB. The database appeared to be an FTP storage database. Fowler reports:
The PDF documents’ metadata indicated that these were “Software Billing and Compliance Reports” belonging to a medical software company, and contained a detailed analysis and key metrics related to medical billing and healthcare services provided. I immediately contacted that company and provided the details of my discovery. They indicated that they did not own or manage the database and that it was a customer using their electronic health record (EHR) system. Based on the information I provided, this medical software company was able to identify who the documents belonged to and notify that organization. Public access was restricted the same day.
To emphasize: the reports did not belong to the software firm. They belonged to the client using the software — Atrium Health. And while the software firm protected client confidentiality by not telling Fowler who the client was, they promptly notified the client themselves. The data were quickly secured after Atrium was alerted to the situation.
Fowler subsequently found files in the exposed dataset that pointed to Atrium. When he contacted Atrium, he received a response: “Thank you for bringing this matter to our attention. We immediately launched an investigation to ensure the issue is resolved. – Advocate Health Cyber Security Team.” Advocate and Atrium had merged in 2022 to form Advocate Health.
As Fowler reports, he does not know if the database was owned and managed by Atrium Health directly or via a third-party contractor. He also does not know how long the database was exposed before he discovered it or if anyone else gained access to it. “Only an internal forensic audit could identify additional access or potentially suspicious activity,” he writes.
Fowler provides several redacted screenshots of the types of files he found exposed.
Read Fowler’s report at Website Planet.
In email communications with Fowler, DataBreaches learned that the exposed records appeared to be current records from 2024 and 2025 — not old or legacy data.
Unfortunately, he repeats older erroneous claims about the commercial value of a patient record. The reality is in that today’s market, patient data records do not command big prices unless someone is a celebrity or famous. Patient record data sets often contain scanned .pdf files which are rich in details but also less convenient for misuse purposes. As one result, many patient databases and data sets are getting leaked on the dark web because there are no buyers for them.
But patient records can cause harm other than financial fraud. They can lead to social stigmatization and may result in discriminatory rates or decisions when patients attempt to seek loans, apply for jobs, or interact on social media. All of these are real harms that may not be easy to calculate commercial value for.
Will HHS Investigate?
This situation clearly falls under HIPAA, although whether it is a reportable breach will depend, in part, on whether Advocate has adequate logs to determine if any unauthorized IP addresses (other than Fowler) accessed or downloaded PHI for the entire period that the database was exposed. If Advocate can show no access by anyone other than Fowler, they could potentially argue that there has been no harm and therefore no need to notify patients. HHS might or might not agree. But even if they agree, it would not preclude HHS from investigating the incident and taking a deeper look as to whether Atrium had an adequate risk assessment and appropriate security controls consistent with the HIPAA Security Rule.
In recent press releases by HHS OCR about their investigations of data security incidents, OCR has recommended that health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:
- Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
- Integrate risk analysis and risk management into the organization’s business processes.
- Ensure that audit controls are in place to record and examine information system activity.
- Implement regular reviews of information system activity.
- Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
- Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
- Incorporate lessons learned from incidents into the organization’s overall security management process.
- Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.
Even if the current incident might be a “near-miss” incident, HHS OCR may take a look at Atrium’s compliance with those recommendations and any history of data security incidents. Atrium has disclosed a number of incidents over the years, some of which were previously reported on DataBreaches.net:
- In 2018, Atrium Health reported that 2.65 million records were affected by a hacking incident at a business associate, AccuDoc Solutions.
- In 2020, Atrium Health reported that 165,000 people were affected by a ransomware attack on a business associate, Blackbaud.
- In 2022, Atrium Health at Home reported that 6,695 patients were affected by a breach after an employee fell prey to a phishing attack.
- In 2023, Atrium Wake Forest Baptist Hospital reported that 3,679 patients were affected by a breach after an employee fell prey to a phishing attack.
- Also in 2023, Atrium’s business associate, Nuance Communications, announced that Atrium was one of its clients affected by the MOVEit hacking incident. The number of affected patients was not disclosed publicly.
- In 2024, Atrium Health reported that 32,120 patients were affected by a phishing attack.
- Also in 2024, Atrium Health reported that 585,959 patients were affected by pixel tracking incident where the tracking and disclosure to advertisers had gone on from January 2015 – July 2019. The problem was discovered in early 2024 and disclosed in November 2024.
And now it seems that Atrium Health had an unsecured database with ePHI. What, if anything, will HHS do?