What Happened in the Atrium Health Data Breach?
In July 2026, Atrium Health agreed to pay up to $1.8 million to resolve a class action lawsuit over its use of tracking tools on its patient portal. This settlement marks a major development in a data breach case that has been working through the North Carolina court system for several years. The agreement resolves claims that the health system exposed patient data without proper consent.
Atrium Health operates a dozen hospitals and more than 900 care facilities across North and South Carolina. Like many health systems, Atrium Health added tracking technologies to its MyAtriumHealth patient portal, formerly known as MyCarolinas. These tools, often provided by companies such as Meta and Google, are common on websites. However, placing them on authenticated pages like patient portals creates a real risk of exposing sensitive health information to outside companies.
Following an internal investigation, Atrium Health determined that the protected health information of up to 585,959 patients may have been impermissibly disclosed. This exposure reportedly occurred between January 1, 2015, and July 31, 2019. Because Atrium Health could not confirm exactly whose data was shared, it assumed that all patients who used the portal during this period were affected.
The breach led to multiple class action lawsuits, which were later consolidated into a single case in the Superior Court of Mecklenburg County. Atrium Health denied any wrongdoing throughout the litigation. Even so, the company chose to settle rather than continue fighting the case in court.
Who was affected?
The breach affected patients who used the MyAtriumHealth or MyCarolinas patient portal. As a result, this includes anyone who logged into their account to view medical records, message providers, or manage appointments. Up to 585,959 patients may have had their information disclosed to third parties without their knowledge.
The settlement class is broader than just the group directly tied to the tracking exposure. It covers all individuals residing in the United States who had a patient portal account between January 1, 2015, and April 10, 2024. This means the affected population spans nearly a decade of portal users, including both active and less active accountholders. Because patient portals are often used by people managing chronic conditions or family members’ care, the scope of this breach likely includes a wide range of patients across different age groups.
What Information Was Potentially Exposed?
The tracking tools used on the Atrium Health patient portal could collect and transmit several types of data to third parties. The specific information exposed depended on what a patient entered while using the portal. Below is a summary of the data categories involved.
- IP addresses
- Third-party identifiers and cookies
- Full names (if entered into forms)
- Email addresses (if entered into forms)
- Phone numbers (if entered into forms)
- City, state, and zip code (if entered into forms)
- Gender (if entered into forms)
- Other information entered into portal forms
Although this breach did not involve Social Security numbers or financial account details, the exposed data still carries real risk. For example, IP addresses combined with identifying details can allow third parties to build detailed profiles of a person’s health-related browsing habits. This type of information could be used for targeted advertising or, in more troubling scenarios, to infer sensitive health conditions.
In addition, exposed contact information such as email addresses and phone numbers could be used in phishing attempts. Scammers sometimes reference real personal details to make fraudulent messages seem legitimate. As a result, affected patients should remain alert to unexpected messages referencing their healthcare provider or portal account.
What is the company doing?
After discovering the impermissible disclosures, Atrium Health investigated how the tracking tools operated on its patient portal. The health system then reported the breach and began notifying affected individuals as required. Atrium Health has maintained throughout the process that it did not violate any laws.
To resolve the litigation, Atrium Health agreed to establish an $1,800,000 settlement fund. Of this amount, $1,500,000 will cover attorneys’ fees, administration costs, and payments to individuals who used their accounts between January 1, 2015, and July 31, 2019. An additional $300,000 has been set aside for a second group of claimants who held accounts during a broader window but did not access them during the primary exposure period.
What Should Affected Individuals Do?
Submit a Claim Before the Deadline
Affected individuals who want to receive a payment must submit a claim by September 28, 2026. This applies to anyone who had a MyAtriumHealth or MyCarolinas account during the relevant periods. Missing this deadline means forfeiting the opportunity to receive compensation from the settlement fund.
Because the settlement includes two distinct claimant groups, it’s worth checking which category applies to you. Group 1 members, who used their accounts during the primary exposure window, may receive a pro rata share of the remaining funds. Group 2 members, who held accounts but did not access them during that window, can receive up to $10.
Monitor Your Credit Reports
Even though this breach did not expose Social Security numbers, it’s still wise to monitor your credit reports regularly. Identity thieves sometimes combine data from multiple breaches to build a fuller picture of a victim. Checking your credit reports helps you catch unfamiliar accounts or inquiries early.
You can request free credit reports from the three major credit bureaus each year. In addition, many banks and credit card companies now offer free credit monitoring tools. Reviewing these reports regularly makes it easier to spot suspicious activity before it becomes a bigger problem.
Stay Alert for Phishing Attempts
Because contact information may have been exposed, affected patients should watch for suspicious emails, texts, or calls. Scammers often pose as healthcare providers or insurers to trick people into giving up more sensitive information. Therefore, never click links or share personal details in response to unexpected messages.
Instead, if you receive a message that claims to be from Atrium Health, contact the health system directly using a verified phone number or website. This simple step helps confirm whether the communication is legitimate. It also protects you from handing over data to a scammer impersonating a trusted provider.
Review Your Patient Portal Privacy Settings
Going forward, it’s a good idea to review the privacy settings on any patient portal you use. Many portals now offer more transparency about third-party tools and data sharing practices. Understanding these settings can help you make informed choices about what information you share.
If you have concerns about how your health data is being used, consider reaching out to your healthcare provider directly. Asking questions about their privacy practices is a reasonable step for any patient. This is especially true after a breach involving tracking technologies like this one.
Consider Speaking with a Data Breach Attorney
If you’re unsure whether you qualify for compensation or have concerns about how your data was used, speaking with a data breach attorney can help clarify your options. An attorney can review your specific situation and explain what steps might be available to you.
Many attorneys offer free consultations for data breach cases like this one. This means you can get informed guidance without any upfront cost. Given the complexity of settlement claim groups and deadlines, professional advice can help ensure you don’t miss out on compensation you’re entitled to.
More Information
Official data breach notification from California Attorney General