Healthcare information management company Ciox announced they have begun notifying business associates following an employee email breach of protected health information (PHI) affecting the patients of at least 32 healthcare providers nationwide.
What We Know About the Ciox Vendor Email Breach
In a post on their website, the Alpharetta, Georgia-based company admitted that an unauthorized person accessed one Ciox employee’s email account between June 24 and July 2, 2021. The breach was not discovered until September 24, 2021, and the investigative review was completed on November 2, 2021.
Sensitive files containing PHI including patient names, provider names, dates of birth, and/or dates of service may have been downloaded from emails and attachments by the threat actor. Some files may have also contained Social Security numbers or driver’s license numbers, health insurance information, and/or clinical or treatment information.
In their statement, Ciox speculated that the account was accessed, “…for purposes of sending phishing emails to individuals unrelated to Ciox, not to access patient information.”
What is Being Done About the Ciox Vendor Email Breach
Ciox stated online that they began the process of notifying their healthcare providers between November 23 and December 30, 2021. They have also been working with providers to notify affected individuals. Breach notification is required as part of complete HIPAA compliance.
Ciox clarified that the employee whose email account was involved, “did not have direct access to any healthcare provider’s or facility’s electronic medical record system.”
Providers Affected by the Ciox Vendor Email Breach
Ciox is providing notice of the email security incident to patients of the following healthcare providers:
- AdventHealth – Orlando
- Alabama Orthopaedic Specialists
- Baptist Memorial Health Care
- Butler Health Systems
- Cameron Memorial Community Hospital
- Centra Health
- Children’s Healthcare of Atlanta
- Coastal Family Health Center
- Copley Hospital
- DeSoto Memorial Hospital Health System
- EvergreenHealth
- Hoag Health System
- Hospital Sisters Health System
- Huntsville Hospital Health System
- Indiana University Health
- McLeod Health System
- MD Partners
- Niagara Falls Memorial Medical Center Health System
- Northern Light Mercy Hospital
- Northwestern Medicine
- Ohio State University Health System
- OrthoConnecticut
- Prisma Health – Greenville Health System
- Prisma Health – Palmetto Health
- Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System
- Trinity Health – Holy Cross Hospital
- Trinity Health – Mount Carmel Health System
- Trinity Health – Saint Alphonsus Health System
- Trinity Health – St. Francis Medical Center
- Trinity Health – St. Joseph Mercy Health System
- Union Hospital Healthcare System
- Women’s Health Specialist
Takeaways From the Ciox Vendor Email Breach
The Department of Health and Human Services “Wall of Shame” lists breaches affecting more than 500 patients. However, as of January 6, 2022, there was no breach reported for Ciox.
The HIPAA Breach Notification Rule requires that all breaches must be reported to the affected parties within 60 days of discovery and that breaches affecting more than 500 patients must be reported to HHS and the media. Failure to do so can result in substantial fines.
Business associates like Ciox must be HIPAA compliant to do business with healthcare providers and other covered entities. Signed business associate agreements can help shield providers from the regulatory penalties that could result from a breach.
As breaches like this become more commonplace, both business associates and providers should be certain that they have comprehensive HIPAA compliance strategies tailored to their business. If you have questions or concerns about your HIPAA compliance, talk to one of our experts at Compliancy Group.
