CHARLOTTE, N.C. (WBTV) - Patients and donors at Atrium Health might have had personal information stolen when a software company was hacked earlier this year.
A letter Atrium is sending out to people says a company called Blackbaud was the victim of a ransomware attack and some personal information, including names, birthdays and doctors’ names may have been taken.
Blackbaud works with Atrium and other hospitals and non-profits as a third-party software company.
The letter from Atrium says personal information like names, birthdays and even doctors’ names might have been compromised but that bank account and social security numbers were not.
In a statement, Blackbaud said that it paid off the hackers and that “we have no reason to believe that any data went beyond the cybercriminal, was or will be misused.”
“You’re dealing with scumbags, you’re dealing with criminals, they could say they deleted this information but what guarantees do you have?” cyber defense expert with Cigent Greg Scasny said.
Scasny says there’s no reason to believe that the information is deleted and that other hackers could use it to gain access to more of your information.
“If I have your name and who your doctor is I can make very crafty phishing emails with that little bit of information to get you to click to either try and get more money from you or ransom your stuff,” Scasny said.
Scasny says people whose information may have been compromised should make sure they’re using strong passwords, two-factor authentication and regularly check their credit reports.
This isn’t the first time a third-party hack has put Atrium patients at risk.
In 2018 a company called AccuDoc was compromised when another software company it works with was hacked.
Patients’ names, insurance information and even social security numbers were vulnerable.
Regan says he called to ask Atrium what they’re doing to make sure this doesn’t happen again.
“When I asked her several questions like what does Atrium Health do to vet these vendors or contractors that they do business with and she started using a lot of filler words like uh and umm and couldn’t give me clear, concise answers to what’s going to be done to prevent this in the future,” Reagan said.
In a statement to WBTV Atrium Health wrote – “We have engaged our legal, security and privacy teams to investigate what took place at Blackbaud. Blackbaud has confirmed that it has identified and fixed the vulnerability associated with the incident.”
The hack of Blackbaud took place in May but the company didn’t notify Atrium until July.
Atrium patients are only finding out now. Scasny says sometimes companies must maintain secrecy about hacks to assist in federal investigations but otherwise should be fully transparent about these incidents as quickly as possible.