Ciox Health, a health data management company, is notifying patients on behalf of more than 30 provider customers that may have had patient data exposed in a email breach.
An unauthorized user accessed one Ciox Health employee's email account between late June and early July 2021, according to a notice the company published.
Ciox Health's investigation has thus far failed to determine whether the unauthorized person viewed or downloaded email messages or attachments in the compromised account—some of which contain patient information.
The company completed its review of the employee's email account Nov. 2 and began notifying provider customers about the incident Nov. 23. Ciox Health did not respond to request for comment on how many patients may have had data exposed in the email breach.
The company determined that the compromised employee email account contained "limited patient information" related to billing inquiries and other customer service requests. That data could include patient names, provider names, dates of birth, dates of service, health insurance information, clinical information, or Social Security or driver's license numbers.
Ciox Health is notifying patients whose data were in the email account on behalf of 32 provider customers, including Baptist Memorial Health Care of Memphis, Tennessee, Chicago-based Northwestern Medicine and multiple facilities operated by Livonia, Michigan-based Trinity Health. At least one other provider not listed by Ciox Health has been affected: The Charlottesville-based University of Virginia Health System issued its own notice last month that 429 of its patients had data compromised in the Ciox Health breach.
So far, Ciox Health has not uncovered any instances of fraud or identity theft resulting from the email breach, according to the company.
"We believe that the account access occurred for purposes of sending phishing emails to individuals unrelated to Ciox, not to access patient information," Ciox Health said in a statement. "Protecting the privacy and security of the information Ciox maintains is critically important to us, and we are continuing to take steps to further strengthen our email security."
Healthcare entities covered by the Health Insurance Portability and Accountability Act are required to disclose breaches to the Health and Human Services Department's Office for Civil Rights within 60 days of discovering them. At the time this article published, the incident had not yet been posted to the department's breach portal.
2021 marked a new record for healthcare data breaches, according to a review of data reported to the HHS portal. From the start of the year to mid-December, healthcare providers, insurers and their business associates reported 664 data breaches, already surpassing full-year 2020's total.