Getty Images/iStockphoto
Business Associate Data Breach Impacts 32 Healthcare Organizations
More than 30 healthcare organizations were impacted by a business associate data breach targeted at technology vendor Ciox Health.
More than 30 healthcare organizations were impacted by a business associate data breach targeted at Ciox Health, a clinical data technology company.
An unauthorized third party accessed one Ciox employee’s email account between June 24 and July 2, 2021, a notice on the company’s website explained. The individual may have downloaded emails and attachments from the account.
On September 24, Ciox determined that the emails and attachments contained patient information relating to billing inquires and other customer service requests. In November and December, Ciox began notifying its healthcare provider customers of the breach.
The exposed information may have included patient names, birth dates, dates of service, and provider names. In very few cases, the emails included Social Security numbers, driver’s license numbers, treatment information, and health insurance information.
“It is important to note that the Ciox employee whose email account was involved did not have direct access to any healthcare provider’s or facility’s electronic medical record system,” the notice emphasized.
The following healthcare organizations were potentially impacted by this security incident:
- AdventHealth – Orlando
- Alabama Orthopaedic Specialists
- Baptist Memorial Health Care
- Butler Health Systems
- Cameron Memorial Community Hospital
- Centra Health
- Children’s Healthcare of Atlanta
- Coastal Family Health Center
- Copley Hospital
- DeSoto Memorial Hospital Health System
- EvergreenHealth
- Hoag Health System
- Hospital Sisters Health System
- Huntsville Hospital Health System
- Indiana University Health
- McLeod Health System
- MD Partners
- Niagara Falls Memorial Medical Center Health System
- Northern Light Mercy Hospital
- Northwestern Medicine
- Ohio State University Health System
- OrthoConnecticut
- Prisma Health – Greenville Health System
- Prisma Health – Palmetto Health
- Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System
- Trinity Health – Holy Cross Hospital
- Trinity Health – Mount Carmel Health System
- Trinity Health – Saint Alphonsus Health System
- Trinity Health – St. Francis Medical Center
- Trinity Health – St. Joseph Mercy Health System
- Union Hospital Healthcare System
- Women’s Health Specialist
Ciox said that it began working with its customers to notify impacted patients on December 30. However, the investigation did not find any concrete evidence of fraud or identity theft as a result of the incident.
“Ciox believes that the account access occurred for purposes of sending phishing emails to individuals unrelated to Ciox, not to access patient information,” the notice continued.
“However, as a precaution, Ciox recommends individuals review statements received from their healthcare providers and health insurers. If they see charges for services they did not receive, they should contact the provider or insurer immediately.”
In its notice, Ciox said that it would provide its employees with enhanced cybersecurity training and implement stronger email security safeguards.