Ciox Health’s (“Ciox”) “Notice Of EMail Security Incident” states that Ciox is working with its customers to notify individuals whose personal information may have been involved in a security incident which resulted in unauthorized access to the e-mail account of a Ciox employee.
The data incident notification stated that
[a]n unauthorized person accessed one Ciox employee’s email account between June 24, 2021, and July 2, 2021, and during that time may have downloaded emails and attachments in the account. Ciox reviewed the account’s contents to determine whether sensitive information was contained in the account. On September 24, 2021, Ciox learned that some emails and attachments in the employee’s email account contained limited patient information related to Ciox billing inquiries and/or other customer service requests. The review was completed on November 2, 2021.
Between November 23, 2021, and December 30, 2021, [Ciox] began the process of notifying our healthcare provider customers of this incident. Since then, [Ciox has] worked with the providers to notify the affected individuals whose information was identified by the review.
Ciox’s notice stated that “[t]he information involved included patient names, provider names, dates of birth, and/or dates of service. In very limited instances, the information involved may have also included Social Security numbers or driver’s license numbers, health insurance information, and/or clinical or treatment information.” [Emphasis added.]
According to Ciox, the “. . . employee whose email account was involved did not have direct access to any healthcare provider’s or facility’s electronic medical record system.”
Ciox provided a list of healthcare providers on whose behalf Ciox is furnishing notice of the e-mail data breach. As of January 6, 2022, the list of healthcare providers listed on Ciox’s website included:
- AdventHealth – Orlando
- Alabama Orthopaedic Specialists
- Baptist Memorial Health Care
- Butler Health Systems
- Cameron Memorial Community Hospital
- Centra Health
- Children’s Healthcare of Atlanta
- Coastal Family Health Center
- Copley Hospital
- DeSoto Memorial Hospital Health System
- Hoag Health System
- Hospital Sisters Health System
- Huntsville Hospital Health System
- Indiana University Health
- McLeod Health System
- MD Partners
- Niagara Falls Memorial Medical Center Health System
- Northern Light Mercy Hospital
- Northwestern Medicine
- Ohio State University Health System
- Prisma Health – Greenville Health System
- Prisma Health – Palmetto Health
- Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System
- Trinity Health – Holy Cross Hospital
- Trinity Health – Mount Carmel Health System
- Trinity Health – Saint Alphonsus Health System
- Trinity Health – St. Francis Medical Center
- Trinity Health – St. Joseph Mercy Health System
- Union Hospital Healthcare System
- Women’s Health Specialist
Ciox’s data breach notification also stated that
[w]hile the investigation did not find any instances of fraud or identity theft that have occurred as a result of this incident, out of an abundance of caution, beginning December 30, 2021, Ciox will be working with [its] customers to notify patients whose information was reflected in the emails and/or attachments and for whom [Ciox] had sufficient contact information. [Ciox is] also providing resources involved individuals can use to help protect their information, including complimentary credit monitoring and identity protection services to the limited number of individuals whose Social Security numbers or driver’s license numbers were involved in this incident.
Ciox believes that the account access occurred for purposes of sending phishing emails to individuals unrelated to Ciox, not to access patient information. However, as a precaution, Ciox recommends individuals review statements received from their healthcare providers and health insurers. If they see charges for services they did not receive, they should contact the provider or insurer immediately.
Have You Been Impacted by A Data Breach?
If so, please complete the form on the right or contact Kehoe Law Firm, P.C., [email protected], for a free, no-obligation evaluation of potential legal claims.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.