Someone on Twitter asked me what the first breach of 2022 would be. The following public notice is not the first breach of 2022. It is a 2021 breach that just showed up after midnight in my news search this morning. And because it involves a third-party breach, we may see other covered entities affected, too. DataBreaches.net has reached out to Ciox Health to ask for more details. In the meantime, here is UVA’s public notice:
On December 3, 2021, UVA Health, including the UVA Medical Center in Charlottesville and UVA Culpeper Medical Center in Culpeper, learned from Ciox Health, a vendor of health information management services for UVA Health and many other health systems and providers nationwide, that an unauthorized person accessed a Ciox Health employee’s email account and may have been able to view health information of patients of several of Ciox’s health system and provider clients, including the information of 429 UVA Health patients (.01% of total UVA Health patient records). Ciox Health has informed UVA Health that the unauthorized access occurred between June 24 and July 2, 2021, and during that time an unauthorized individual may have downloaded emails and attachments in the account. Ciox Health began investigating this incident as soon as they detected it and promptly reported it to UVA Health. They have provided the following details regarding this incident:
What Happened? Ciox Health became aware of unusual activity on the email account of one of their employees and, after securing the account, launched an investigation with the assistance of an outside cybersecurity firm. Unfortunately, Ciox Health has indicated that their investigation was unable to determine whether any emails or attachments were actually viewed or acquired. The activity occurred solely within Ciox Health’s systems and did not in any way compromise the security of UVA Health’s electronic medical record or other systems.
What Information was Involved? Ciox Health reviewed the information contained in their employee’s account and determined that the information contained in the account included patient names, dates of birth, provider names and dates of service. Patients’ Social Security numbers and financial information were not viewable.
What Are Ciox and UVA Health Doing to Address this Issue? Ciox Health assures us that they are implementing additional procedures to further strengthen email security including best-practice multi-factor email authentication as well as enforcing annual compliance training specific to security awareness and identifying and avoiding suspicious emails. Because the data breach occurred within Ciox Health’s systems, UVA Health has no reason to believe that its systems or security have been compromised. UVA Health mailed letters to those patients on December 30, 2021 who Ciox Health was able to directly identify as potentially having been impacted by this issue. This publication is intended to make patients who might have been impacted but for whom we do not have sufficient information to contact them directly aware of this issue.
What Can UVA Health’s Patients Do? Ciox Health has indicated that it believes the account access occurred for purposes of sending phishing emails to individuals unrelated to Ciox Health and has no indication that patients’ information has been misused. However, as a precaution, UVA Health recommends that all patients continue to review statements they receive from their healthcare providers and health insurance provider and to contact their provider or insurer immediately if there are charges for services they did not receive. And as always, it is important to observe email best practices by being aware and not clicking on links or attachments in emails from senders you do not recognize. If you have any questions or need additional information, Ciox Health will provide a dedicated call center for affected patients. Patients with questions or who need more information can call 855.618.3107 between 9 a.m. – 6:30 p.m. Eastern Time, Monday through Friday. UVA Health and Ciox Health apologize for this incident and regret any inconvenience or concern this causes our patients.
Updated Jan. 3: Ciox responded to this site’s inquiry with the following statement:
The security incident involved one employee’s email account. Because this employee worked in a customer service role, servicing customers nation-wide, there were many providers impacted. Ciox Health has previously reached out to impacted customers and notified appropriate regulators in accordance with applicable law.
So it is still not clear exactly how many patients have been notified or impacted as a result of this third-party breach.
Updated Jan. 5: Here is a list Ciox published of its clients on whose behalf it is providing notification:
LIST OF HEALTHCARE PROVIDERS ON WHOSE BEHALF CIOX HEALTH IS PROVIDING NOTICE OF EMAIL SECURITY INCIDENT
- AdventHealth – Orlando
- Alabama Orthopaedic Specialists
- Baptist Memorial Health Care
- Butler Health Systems
- Cameron Memorial Community Hospital
- Centra Health
- Children’s Healthcare of Atlanta
- Coastal Family Health Center
- Copley Hospital
- DeSoto Memorial Hospital Health System
- EvergreenHealth
- Hoag Health System
- Hospital Sisters Health System
- Huntsville Hospital Health System
- Indiana University Health
- McLeod Health System
- MD Partners
- Niagara Falls Memorial Medical Center Health System
- Northern Light Mercy Hospital
- Northwestern Medicine
- Ohio State University Health System
- OrthoConnecticut
- Prisma Health – Greenville Health System
- Prisma Health – Palmetto Health
- Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System
- Trinity Health – Holy Cross Hospital
- Trinity Health – Mount Carmel Health System
- Trinity Health – Saint Alphonsus Health System
- Trinity Health – St. Francis Medical Center
- Trinity Health – St. Joseph Mercy Health System
- Union Hospital Healthcare System
- Women’s Health Specialist