When a hacker succeeds in attacking one business associate, the damage multiplies fast.
Ciox Health, a clinical data technology company, reports that an unauthorized third party accessed one Ciox employee’s email account between June 24 and July 2, 2021, and may have downloaded emails and attachments from the account.
Ciox said some emails and attachments in the employee’s email account contained patient information related to billing inquiries and other customer service requests. The information involved included patient names, provider names, dates of birth, and/or dates of service. In very few cases the emails included patients’ Social Security numbers, drivers’ license numbers, health insurance information, and clinical and treatment information.
The official Ciox notice downplays the potential impact on affected individuals. However, it’s well known that hackers are targeting healthcare organizations and information about patients that they hold.
On a positive note, Ciox is advising affected individuals to review statements received from their healthcare providers and health insurers and immediately report any charges for services they did not receive. This is important because patient safety depends on accurate medical records. Broward County Health provided the same advice to individuals affected by a breach earlier this year. We hope this trend continues, as the advice is often missing in breach notifications, which typically focus on financial and credit risks.
Companies like Ciox are essential in healthcare. They specialize in revenue cycle management, data analysis and data transmission interoperability. Most medium to large size healthcare providers need third party vendors to supply technical support in specialized services like these. Ciox has provider customers across the United States, from California to Maine.
The providers affected include:
- AdventHealth – Orlando (Fla.)
- Alabama Orthopaedic Specialists (Prattville)
- Baptist Memorial Health Care (Memphis, Tenn.)
- Butler (Pa.) Health System
- Cameron Memorial Community Hospital (Angola, Ind.)
- Centra Health (Lynchburg, Va.)
- Children’s Healthcare of Atlanta
- Coastal Family Health Center (Biloxi, Miss.)
- Copley Hospital (Morrisville, Vt.)
- DeSoto Memorial Hospital Health System (Arcadia, Fla.)
- EvergreenHealth (Kirkland, Wash.)
- Hoag Health System (Newport Beach, Calif.)
- Hospital Sisters Health System (Springfield, Ill.)
- Huntsville (Ala.) Hospital Health System
- Indiana University Health (Indianapolis)
- McLeod Health (Florence, S.C.)
- MD Partners (Grass Valley, Calif.)
- Niagara Falls (N.Y.) Memorial Medical Center Health System
- Northern Light Mercy Hospital (Portland, Maine)
- Northwestern Medicine (Chicago)
- Ohio State University Health System (Columbus)
- OrthoConnecticut (Danbury)
- Prisma Health (Greenville,.C.)
- Prisma Health – Palmetto Health (Greenville, S.C.)
- Sarasota (Fla.) Memorial Health Care System
- Trinity Health – Holy Cross Hospital (Fort Lauderdale, Fla.)
- Trinity Health – Mount Carmel Health System (Columbus, Ohio)
- Trinity Health – Saint Alphonsus Health System (Boise, Idaho)
- Trinity Health – St. Francis Medical Center (Trenton, N.J.)
- Trinity Health – St. Joseph Mercy Health System (Ann Arbor, Mich.)
- Union Hospital Healthcare System (Terre Haute, Ind.)
- Women’s Health Specialist (Westland, Mich.)
Prevention with Business Associate Due Diligence
For cyber criminals, an attack on a business associate like Ciox is a shortcut to a treasure trove of data. All covered entities and all of their business associates need to comply with HIPAA.
Although none of the affected providers experienced this security incident firsthand, all of them may have been breached. This is why HIPAA requires business associates to comply with HIPAA, and covered entities (e.g., providers and health plans) to perform due diligence and enter business associate agreements with their third-party vendors handling protected health information (PHI).