Health Information Management Vendor Identifies and Addresses Email Security Incident
Ciox Health, a company that provides health information management services to providers and insurers across the U.S., is working with its customers, including Catholic Health, to notify patients whose information may have been part of an incident involving unauthorized access to a Ciox employee’s email account. About 1,300 hospital and primary care patients in Catholic Health are affected and will be receiving a letter from Ciox in the coming days.
Emails and attachments may have been downloaded from the Ciox employee’s email account, which was accessed between June 24 and July 2, 2021. Ciox reviewed the account’s contents and learned in late September the emails and attachments contained limited patient information related to its billing inquiries and/or other customer service requests.
The review was completed in early November and between November 23 and December 30, 2021, Ciox began notifying providers whose patient information was involved in the incident. For Catholic Health, the information may have included patient names, provider names, dates of birth, dates of service, health insurance information, and/or medical record numbers. It is important to note that the Ciox employee whose email account was involved did not have direct access to any customer’s electronic medical record system.
While Ciox’s investigation did not find any instances of fraud or identity theft as a result of this incident, out of an abundance of caution, beginning today, Ciox is notifying affected Catholic Health patients. Ciox believes that the unauthorized account access occurred for purposes of sending outbound phishing emails to individuals unrelated to Ciox, NOT to access patient information. However, as a precaution, Ciox recommends individuals affected review billing statements from their healthcare providers and health insurers and contact them immediately if they see charges for services they did not receive.
Ciox takes the privacy and confidentiality of the information it maintains very seriously, and continuously evaluates its security procedures with industry best practices. To help prevent an incident like this from happening again, the company is continuing to identify additional security measures.
Ciox has established a toll-free call center for questions about this incident. The call center can be reached at (855) 618-3107, Monday through Friday, between 9:00 a.m. and 6:30 p.m., excluding some U.S. holidays. Additional information is also available at cioxhealth.com/notice-of-email-security-incident.
