Thousands of people's protected health information (PHI) may have been compromised in a hacking attack at a Georgia-based healthcare information management organization. Clinical or treatment information, as well as social security numbers, were among the sensitive data compromised during Ciox Health's cyber-attack last summer. The headquarters of Ciox Health is in Alpharetta, Georgia. In the release of information department (ROI), record retrieval, and health information management, the organization offers a variety of services. Ciox serves three out of every five hospitals and over 16,000 physician practices.
According to a recent Ciox Health notification, an unauthorized person accessed a Ciox employee's email account between June 24 and July 2, 2021. The threat actor may have utilized that access to download emails and attachments related to the compromised account, according to the firm.
“Ciox reviewed the account’s contents to determine whether sensitive information was contained in the account,” said the notice. “On September 24 2021, Ciox learned that some emails and attachments in the employee’s email account contained limited patient information related to Ciox billing inquiries and/or other customer service requests.”
According to the company, no fraud or theft has been detected as a result of the incident. "We believe that the account access occurred for purposes of sending phishing emails to individuals unrelated to Ciox, not to access patient information," Ciox Health said in a statement. "Protecting the privacy and security of the information Ciox maintains is critically important to us, and we are continuing to take steps to further strengthen our email security."
Ciox investigated the case in early November and began alerting patients later that month. The account information was related to billing inquiries and customer service requests, and it could have included patient names, provider names, dates of birth, dates of service, health insurance information, clinical information, or social security or driver's license numbers.
On December 30, the data breach was reported to the US Department of Health and Human Services' Office for Civil Rights as a hacking/IT issue affecting 12,493 people. The security notice was issued on behalf of 32 different healthcare providers, including Children's Healthcare of Atlanta, Indiana University Health, Niagara Falls Memorial Medical Center Health System, and Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System, and was published on Ciox Health's website.