Ciox Health breach compromises patient data from dozens of providers


Ciox Health, a healthcare data management company, is notifying patients on behalf of more than 30 supplier customers who may have seen patient data exposed in an email breach.

An unauthorized user accessed the email account of a Ciox Health employee between late June and early July 2021, according to a notice posted by the company.

Ciox Health’s investigation has so far failed to determine whether the unauthorized person has viewed or downloaded any emails or attachments in the compromised account, some of which contain patient information.

The company completed its review of the employee’s email account on November 2 and began notifying vendor customers of the incident on November 23. Ciox Health did not respond to a request for comment on how many patients may have data exposed in the email breach.

Ciox Health, which merged with health data company Datavant last year, handles record retrieval requests for providers, patients and third parties.

The company determined that the compromised employee’s email account contained “limited patient information” related to billing inquiries and other customer service requests. This data may include patient names, provider names, dates of birth, dates of service, health insurance information, clinical information, or social security or driver’s license numbers.

Ciox Health advises patients whose data was in the email account on behalf of 32 supplier customers, including Baptist Memorial Health Care of Memphis, Tennessee, Chicago-based Northwestern Medicine, and several facilities operated by Trinity Health, based in Livonia, in Michigan. At least one other provider not listed by Ciox Health has been affected: The Charlottesville-based University of Virginia Health System issued its own notice last month that 429 of its patients had data compromised in the breach from Ciox Health.

So far, Ciox Health has not uncovered any cases of fraud or identity theft resulting from the email breach, according to the company.

Download the Modern Healthcare app to stay up to date with industry news.

“We believe the account access was for the purpose of sending phishing emails to people unrelated to Ciox, and not to access patient information,” Ciox Health said in a statement. “Protecting the privacy and security of information held by Ciox is of utmost importance to us, and we continue to take steps to further strengthen the security of our emails.

Healthcare entities covered by the Medicare Portability and Liability Act are required to report violations to the Civil Rights Office of the Department of Health and Human Services within 60 days of discovery. At the time of this article’s publication, the incident had not yet been published on the ministry’s violations portal.

2021 marked a new record for healthcare data breaches, according to a review of data reported to the HHS portal. From the start of the year to mid-December, healthcare providers, insurers and their business partners reported 664 data breaches, already exceeding the total for 2020.


Comments are closed.