Atrium Health is apologizing publicly and notifying patients who may have been impacted by a malicious email sent to employees in April, the company announced Friday.

Social Security numbers may have been among the personal information exposed to the criminals, Atrium said.

An unauthorized third party gained access to a group of employees’ emails through phishing, according to Atrium. Phishing occurs when an email looks trustworthy but deception is used to get information or access to online accounts.

The incident occurred between April 29 and April 30, according to Atrium, a Charlotte, North Carolina-based health care giant.

Atrium said it investigated, took steps to secure the affected accounts and confirmed the third party no longer had access. A forensic firm assisted with the investigation in July and notified law enforcement.

Atrium did not provide a total number of patients or workers impacted in a public notice. But the email did not impact all of Atrium Health’s patients or employees, according to Atrium.

It only reached people whose information happened to be in the email and/or files in the affected employees’ accounts, according to Atrium.

Atrium did not immediately say why it waited 4 1/2 months to make a public announcement of the security breach.

Atrium said it is unable to determine if the unauthorized party viewed any emails or attachments in the email accounts. The third party’s focus was not on medical or health information in the employees’ emails, the health care system added. Atrium’s electronic medical record systems are separate from its email system and were not affected by the incident, the company said.

Atrium officials are unaware of any misuse of patient or personal information, according to the health care system. And there is no evidence of personal information being viewed during the attack.

The health system is mailing letters to patients and employees whose personal information could have been exposed in the incident, and is posting an explanation on its website with an apology.

Atrium said information that may have been accessible included: first and/or last name; street address, email address, Social Security number; date of birth; medical record number; driver’s license or state-issued identification number; bank or financial account numbers or information, including routing numbers, financial institution name, security code/PIN and/or expiration date; treatment/diagnosis, prescription, health insurance and/or treatment cost information; patient identification number; and health insurance account or policy numbers.

Atrium is offering credit monitoring and identity protection services to people impacted by the phishing email.

People with questions about the phishing incident may call 866-997-1986 from 9 a.m. to 6:30 p.m. Monday through Friday. Information is also available at https://atriumhealth.org/dataincident.

About Atrium

Atrium Health is a part of Charlotte-based Advocate Health. The hospital system is the third-largest nonprofit health system in the U.S. and serves about 6 million patients.

More than 155,000 employees work in 68 hospitals and over 1,000 health care locations.

©2024 The Charlotte Observer. Visit at charlotteobserver.com. Distributed by Tribune Content Agency, LLC.