Ciox Health E-Mail Data Breach – Protected Health Information Impacted

Date06 Jan 2022

Comment0

Ciox Health’s (“Ciox”) “Notice Of EMail Security Incident” states that Ciox is working with its customers to notify individuals whose personal information may have been involved in a security incident which resulted in unauthorized access to the e-mail account of a Ciox employee.

The data incident notification stated that

[a]n unauthorized person accessed one Ciox employee’s email account between June 24, 2021, and July 2, 2021, and during that time may have downloaded emails and attachments in the account. Ciox reviewed the account’s contents to determine whether sensitive information was contained in the account. On September 24, 2021, Ciox learned that some emails and attachments in the employee’s email account contained limited patient information related to Ciox billing inquiries and/or other customer service requests. The review was completed on November 2, 2021.

Between November 23, 2021, and December 30, 2021, [Ciox] began the process of notifying our healthcare provider customers of this incident. Since then, [Ciox has] worked with the providers to notify the affected individuals whose information was identified by the review.

Ciox’s notice stated that “[t]he information involved included patient names, provider names, dates of birth, and/or dates of service. In very limited instances, the information involved may have also included Social Security numbers or driver’s license numbers, health insurance information, and/or clinical or treatment information.” [Emphasis added.]

According to Ciox, the “. . . employee whose email account was involved did not have direct access to any healthcare provider’s or facility’s electronic medical record system.”

Ciox provided a list of healthcare providers on whose behalf Ciox is furnishing notice of the e-mail data breach. As of January 6, 2022, the list of healthcare providers listed on Ciox’s website included:

AdventHealth – Orlando
Alabama Orthopaedic Specialists
Baptist Memorial Health Care
Butler Health Systems
Cameron Memorial Community Hospital
Centra Health
Children’s Healthcare of Atlanta
Coastal Family Health Center
Copley Hospital
DeSoto Memorial Hospital Health System
EvergreenHealth
Hoag Health System
Hospital Sisters Health System
Huntsville Hospital Health System
Indiana University Health
McLeod Health System
MD Partners
Niagara Falls Memorial Medical Center Health System
Northern Light Mercy Hospital
Northwestern Medicine
Ohio State University Health System
OrthoConnecticut
Prisma Health – Greenville Health System
Prisma Health – Palmetto Health
Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System
Trinity Health – Holy Cross Hospital
Trinity Health – Mount Carmel Health System
Trinity Health – Saint Alphonsus Health System
Trinity Health – St. Francis Medical Center
Trinity Health – St. Joseph Mercy Health System
Union Hospital Healthcare System
Women’s Health Specialist

Ciox’s data breach notification also stated that

[w]hile the investigation did not find any instances of fraud or identity theft that have occurred as a result of this incident, out of an abundance of caution, beginning December 30, 2021, Ciox will be working with [its] customers to notify patients whose information was reflected in the emails and/or attachments and for whom [Ciox] had sufficient contact information. [Ciox is] also providing resources involved individuals can use to help protect their information, including complimentary credit monitoring and identity protection services to the limited number of individuals whose Social Security numbers or driver’s license numbers were involved in this incident.

Ciox believes that the account access occurred for purposes of sending phishing emails to individuals unrelated to Ciox, not to access patient information. However, as a precaution, Ciox recommends individuals review statements received from their healthcare providers and health insurers. If they see charges for services they did not receive, they should contact the provider or insurer immediately.

Have You Been Impacted by A Data Breach?

If so, please complete the form on the right or contact Kehoe Law Firm, P.C., [email protected], for a free, no-obligation evaluation of potential legal claims.

Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.

Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.