by John R. Fischer
, Senior Reporter | January 11, 2022
Ciox Health experienced an email breach that potentially exposed the information of nearly 12,500 patients
An email breach at Ciox Health has potentially exposed the information of patients at more than 30 healthcare facilities.
In an email on December 30, Ciox reported that the breach affected nearly 12,500 individuals, according to the HHS OCR HIPAA breach reporting site.
The health data management company revealed that an unauthorized user hacked into one of its employees' email accounts between late June and early July 2021. It is currently notifying patients but has failed to determine if the unauthorized person viewed or downloaded email messages or attachments from the account. The account contained “limited patient information” of patients associated with 32 provider customers, according to Modern Healthcare
The company says it has so far not detected any fraud or identified theft as a result of the breach. "We believe that the account access occurred for purposes of sending phishing emails to individuals unrelated to Ciox, not to access patient information," Ciox Health said in a statement. "Protecting the privacy and security of the information Ciox maintains is critically important to us, and we are continuing to take steps to further strengthen our email security."
Ciox reviewed the account in early November and began notifying patients later that month. The information included on the account was related to billing inquiries and customer service requests, which could potentially include patient names, provider names, dates of birth, dates of service, health insurance information, clinical information, or social security or driver's license numbers.
Among the providers with affected patients are Baptist Memorial Health Care of Memphis, Tennessee; Northwestern Medicine in Chicago and multiple facilities operated by Livonia; and Trinity Health in Michigan. While not listed by Ciox Health, the University of Virginia Health System in Charlottesville issued its own notice last month that 429 of its patients had data compromised in the Ciox Health breach.
Under the Health Insurance Portability and Accountability Act, healthcare insurers are required to report breaches to the Health and Human Services Department’s Office for Civil Rights within 60 days of discovering them. The incident was posted to the department’s breach portal this week and is currently being investigated by the Office for Civil Rights.
Ciox recommends that patients review statements received from their providers and insurers, and to report any charges for services they did not receive. It has also set up a dedicated, toll-free call center for questions about the incident.