Hackers Hit Healthcare Data Management Company

The protected health information (PHI) of thousands of individuals may have been exposed in a hacking incident at a healthcare information management company based in Georgia.

Clinical or treatment information and social security numbers were among the sensitive data compromised during a successful cyber-attack on Ciox Health last summer.

Ciox Health, headquartered in Alpharetta, provides various services, including information release, medical record retrieval and health information management to more than 30 healthcare providers.

According to a notice recently issued by Ciox Health, an unauthorized person accessed the email account of a Ciox employee between June 24 2021 and July 2 2021. 

The company warned that the threat actor may have used that access to download emails and attachments associated with the compromised account.

“Ciox reviewed the account’s contents to determine whether sensitive information was contained in the account,” said the notice. 

“On September 24 2021, Ciox learned that some emails and attachments in the employee’s email account contained limited patient information related to Ciox billing inquiries and/or other customer service requests.”

Information that the attacker may have accessed included patient names, provider names, dates of birth and/or dates of service. Social security numbers or driver’s license numbers, health insurance information and/or clinical or treatment information were also exposed in what Ciox described as “very limited instances.”

The data breach was reported to the US Department of Health and Human Services’ Office for Civil Rights on December 30 as a hacking/IT incident impacting 12,493 individuals. 

Ciox Health said it began notifying its healthcare provider customers of the security incident on November 23. The security notice published on Ciox Health’s website was issued on behalf of 32 different healthcare providers, including Children’s Healthcare of Atlanta, Indiana University Health, Niagara Falls Memorial Medical Center Health System and Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System.

“To help prevent something like this from happening again, we have and will continue to identify opportunities to implement additional procedures to further strengthen our email security, including by providing enhanced cybersecurity training to our employees,” stated Ciox Health.

What’s Hot on Infosecurity Magazine?