The health information management services provider CIOX Health experienced a data breach that has affected no less than 32 healthcare providers. In July 2021, CIOX Health found out an unauthorized individual had acquired access to the email of a worker in the customer service team. The email account was promptly secured, with the following investigation affirming the email account was first accessed by an unauthorized person on June 24, 2021, with continuing access until the security breach was identified on July 2, 2021.
Based on the breach investigation by CIOX Health, it was confirmed that the incident was limited to just one staff email account. An audit of the data of the email account on September 24, 2021 revealed that it contained emails and file attachments that held the protected health information (PHI) of some of its healthcare provider clients for example names, dates of birth, provider names, dates of service, and the Social Security numbers, driver’s license numbers, health insurance data, and/or treatment details of a very limited number of people.
The worker in question worked in customer support and, therefore, assisted healthcare company clients throughout the country with billing problems and assisted with other customer service needs, therefore a substantial number of impacted clients. The staff did not, nevertheless, have access to the medical record systems of any of its healthcare provider clients.
CIOX Health stated that when the account was accessible it is likely that emails that contain protected health information were viewed or copied, however, there is no direct evidence of attempted or actual misuse of patient data found. CIOX Health is convinced that the email account was compromised to send out phishing email messages from the company domain to persons not related to CIOX Health.
CIOX Health is advising all people affected by the breach to take a look at their statements and explanation of benefits statements from their healthcare companies and insurance companies for any indication of unauthorized use of their information.
As a result of the breach, CIOX Health will implement stronger email security measures and will provide the workers with additional security awareness training.
On December 30, 2021, CIOX health started sending notifications to impacted healthcare company clients regarding the breach. Healthcare providers found to have been affected by the CIOX Health email account breach are the following:
Alabama Orthopaedic Specialists
AdventHealth in Orlando
Baptist Memorial Health Care
Butler Health Systems
Cameron Memorial Community Hospital
Children’s Healthcare of Atlanta
Coastal Family Health Center
DeSoto Memorial Hospital Health System
Hospital Sisters Health System
Hoag Health System
Huntsville Hospital Health System
Indiana University Health
McLeod Health System
Niagara Falls Memorial Medical Center Health System
Northern Light Mercy Hospital
Ohio State University Health System
Prisma Health – Palmetto Health
Prisma Health – Greenville Health System
Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System
Trinity Health – Mount Carmel Health System
Trinity Health – Holy Cross Hospital
Trinity Health – Saint Alphonsus Health System
Trinity Health – St. Joseph Mercy Health System
Trinity Health – St. Francis Medical Center
Union Hospital Healthcare System
Women’s Health Specialist
CIOX Health reported the security breach to the HHS’ Office for Civil Rights indicating that 12,493 individuals were impacted.