The health data management services provider CIOX Health suffered a data breach that has impacted a minimum of 32 healthcare companies. Last July 2021, CIOX Health learned an unauthorized individual had obtained access to the email of a staff in the customer service section. The email account was quickly made secure, with the succeeding investigation verifying the email account was initially accessed by an unauthorized person on June 24, 2021, with ongoing access up to the time the security breach was discovered on July 2, 2021.
Based on the breach investigation by CIOX Health, it was affirmed that the breach was restricted to only one worker email account. Analysis of the information of the email account on September 24, 2021 showed that it included emails and attachments that contained the protected health information (PHI) of some of its healthcare provider clients like names, birth dates, names of providers, dates of service, and the Social Security numbers, driver’s license numbers, medical insurance data, and/or treatment details of a very small number of persons.
The worker involved worked in customer support and, that way, helped healthcare company clients all over the country who have billing concerns and aided with other customer service tickets, consequently a sizeable number of affected clients. The staff didn’t, nonetheless, get access to the healthcare record systems of any of its healthcare provider customers.
CIOX Health mentioned that at the time that the account was available it is probable that emails comprising PHI were viewed or duplicated, nevertheless there is no direct proof of attempted or actual improper use of patient information discovered. CIOX Health thinks that the email account was accessed to mail phishing email messages from the business domain to people not connected to CIOX Health.
CIOX Health is telling all persons impacted by the breach to examine their statements and explanation of benefits statements from their healthcare providers and insurance providers for any hint of unauthorized usage of their data.
Because of the breach, CIOX Health is going to employ stronger email security procedures and will give the employees more security awareness training.
On December 30, 2021, CIOX health began informing affected healthcare company clients concerning the breach. Healthcare companies identified to have been impacted by the CIOX Health email security breach are :
- Alabama Orthopaedic Specialists
- AdventHealth in Orlando
- Butler Health Systems
- Baptist Memorial Health Care
- Centra Health
- Cameron Memorial Community Hospital
- Copley Hospital
- Children’s Healthcare of Atlanta
- Coastal Family Health Center
- DeSoto Memorial Hospital Health System
- Hospital Sisters Health System
- Huntsville Hospital Health System
- Hoag Health System
- Indiana University Health
- MD Partners
- McLeod Health System
- Northwestern Medicine
- Niagara Falls Memorial Medical Center Health System
- Northern Light Mercy Hospital
- Ohio State University Health System
- Prisma Health – Palmetto Health
- Prisma Health – Greenville Health System
- Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System
- Trinity Health – Mount Carmel Health System
- Trinity Health – Saint Alphonsus Health System
- Trinity Health – St. Francis Medical Center
- Trinity Health – Holy Cross Hospital
- Trinity Health – St. Joseph Mercy Health System
- Women’s Health Specialist
- Union Hospital Healthcare System
CIOX Health reported the email account breach to the HHS’ Office for Civil Rights stating that 12,493 people were affected.