Ciox Data Breach Potentially Exposed Patient Personal Information Across 32 Healthcare Practices Nationwide | Console and Associates, PC

Recently, Ciox Health reported experiencing an “email security incident” that may have compromised sensitive information of an unknown number of patients. Ciox Health is a health information management company that helps healthcare practices manage their information requests. In this role, Ciox Health has access to personal and healthcare-related patient information of its healthcare provider customers. Thus, as a result of the breach, a significant amount of patient data may have been compromised. the data breach lawyers at Console & Associates, PC is actively investigating the breach of security to determine what legal remedies are available to those affected by the breach.

What caused the Ciox data breach?

According to an official note published by the company, in July 2021, Ciox learned that one of its employees’ email accounts had been accessed by an unauthorized party. Clearly, the unauthorized party gained access to the employee’s email account between June 24, 2021 and July 2, 2021.

The employee whose email account was hacked worked in customer service. And, on September 24, 2021, Ciox learned that the email account contained certain patient information related to billing inquiries and other customer service requests.

In response, Ciox conducted an internal investigation to determine what patient data was compromised in the cyberattack. On November 2, 2021, Ciox learned that the following data was contained in the employee’s email account or in attachments: patient names, provider names, birth dates and/or service dates. Ciox also confirmed that “in very limited cases, relevant information may also include social security numbers or driver’s license numbers, health insurance information, and/or clinical or treatment information.”

Between November 23, 2021 and December 30, 2021, Ciox Health began notifying its healthcare provider customers of the breach. And on December 30, 2021, Ciox began working with its customers to notify patients whose personal and health data was compromised as a result of the data breach.

Who is responsible for the data breach at Ciox?

While Ciox Health may be legally liable for the data breach, it is too early to tell if this is the case. In general, businesses have a legal obligation to protect consumer data in their possession. However, the laws governing liability for data breaches are complex, and not all breaches result in financial liability for the company. Data breach attorneys are actively investigating Ciox’s data security incident on behalf of affected parties to determine what legal remedies they have against the company.

Who was affected by the Ciox data breach?

According to cioxthe health facilities that were affected by the breach are:

  • AdventHealth (multiple facilities)

  • Alabama Orthopedic Specialists

  • Alexian Brothers Medical Group

  • AMITA Bolingbrook Health Adventist Medical Center

  • AMITA Health GlenOaks Adventist Medical Center

  • AMITA Hinsdale Health Adventist Medical Center

  • AMITA Health La Grange Adventist Medical Center

  • AMITA Health Alexian Brothers Hoffman Estates Behavioral Health Hospital

  • AMITA Health Alexian Brothers Elk Grove Village Medical Center

  • AMITA Health Sainte-Famille Des Plaines Medical Center

  • AMITA Health Mercy Aurora Medical Center

  • AMITA Health Resurrection Chicago Medical Center

  • AMITA Health Saint Francis Evanston Hospital

  • AMITA Health Saint Joseph’s Hospital of Chicago

  • AMITA Health St. Joseph Elgin Hospital

  • AMITA Health St. Joseph Joliet Medical Center

  • AMITA Health Saints Mary and Elizabeth Chicago Medical Center

  • AMITA Health St. Alexius Hoffman Estates Medical Center

  • AMITA Health St. Mary’s Hospital Kankakee

  • Arizona Community Surgeons, PC, dba Arizona Community Specialists

  • Ascension (multiple installations)

  • Baptist Memorial Health Care

  • BJC Healthcare

  • Burrell Behavioral Health

  • Butler Health Systems

  • Cameron Memorial Community Hospital

  • Health Center

  • Atlanta Children’s Health Care

  • Christus Health

  • Coastal Family Health Center

  • Cook County Health

  • Copley Hospital

  • DeSoto Memorial Hospital Health System

  • Einstein Healthcare Network

  • Erie County Medical Center Society

  • Essential Health

  • Florida Medical Clinic, LLC

  • Fort Wayne Orthopedics

  • Hoag Health System

  • Sisters Hospitaller Health System

  • Huntsville Hospital Health System

  • Indiana University Health

  • McLeod Health System

  • MD Partners

  • Morrilton Medical Clinic

  • Niagara Falls Memorial Medical Center Health System

  • Northern Light Mercy Hospital

  • Northwest Medicine

  • Ohio State University Health System

  • Optum, Inc.

  • Orlando Orthopedic Center

  • OrthoConnecticut

  • OSF Health Care System

  • OR Medicine, Inc.

  • Phoebe Putney Health System, Inc.

  • Piedmont Health Care

  • Covenant Presence Medical Center

  • Presence medical group

  • Presence United Samaritans Medical Center

  • Prisma Health – Greenville Health System

  • Prisma Health – Palmetto Health

  • Quorum Health and its subsidiaries

  • Redeemer’s Health

  • Reedsburg Area Medical Center

  • Rochester Regional Health

  • Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System

  • Sentara Health

  • Temple Physician Inc.

  • University of Toledo Medical Center

  • Tower Health (several affiliated covered entities)

  • Trinity Health – St. Croix Hospital

  • Trinity Health – Mount Carmel Health System

  • Trinity Health – Saint Alphonsus Health System

  • Trinity Health – St. Francis Medical Center

  • Trinity Health – St. Joseph Mercy Health System

  • Union Hospital Health System

  • UPMC

  • Vanderbilt University Medical Center

  • Advantageous position

  • Walmart Inc.

  • Washington University School of Medicine

  • Winn Dixie

  • Women’s Health Specialist

However, Ciox has not yet confirmed the number of patients affected by the breach. It appears that the company is in the process of notifying all patients whose information was compromised as a result of the breach. However, Ciox notes that its efforts may be limited by the fact that it does not have contact information for all parties involved.

Are the people affected by the Ciox health data breach at risk?

If your information was part of the compromised data, it is important to understand what happened and whether you are at increased risk of identity theft or other fraud. If you receive a data breach notification from Ciox Health or your healthcare provider, it means that your data was contained in the affected employee’s email account. However, this does not necessarily mean that your information was actually accessed or stolen by the hacker. Unfortunately, you cannot exclude this possibility either.

Hackers and other malicious actors can orchestrate a cyberattack for several reasons. However, one of the main reasons they do this is to obtain consumer data that can then be used to commit identity theft or other fraud. So, given this risk, it is important that anyone who receives a Ciox data breach letter takes the necessary steps to protect themselves.

What to do if you received a data breach notification from Ciox

If you have received a data breach notification from Ciox Health or if you receive one in the coming weeks, it means that your personal data has been compromised during the recent cyberattack. It also means that a cybercriminal has gained access to your personal data and may have stolen it. Given the risks involved, it is important that you remain vigilant by taking the following measures:

  1. Find out what information was stolen: Read the data breach letter sent by Ciox carefully, keeping in mind the information you provided to the company as well as the type of data that was compromised in the breach. You should also take a copy of the data breach letter and retain it for your records. Of course, data breach letters aren’t always easy to understand. A consumer privacy attorney can help victims of a data breach understand what has been compromised and how to protect themselves.

  2. Prevent the hacker from accessing your accounts: Once you have determined the extent of the breach and how it affected you, you should then take all necessary steps to prevent cybercriminals from gaining access to your credit or financial accounts. For example, you must change all passwords and security questions for your online accounts. You should also consider setting up multi-factor authentication where available.

  3. Protect your credit and financial accounts: Following a data breach, companies typically provide free credit monitoring services for a set period of time. It’s not a gimmick, and you’re not giving up any rights by taking a company up on its offer. Additionally, you must contact one of the three major credit bureaus to request a copy of your credit file. Even if you don’t notice any signs of fraud or unauthorized activity, it’s a good idea to request a fraud alert. Fraud alerts are free and notify potential lenders and creditors that your information has been compromised.

  4. Consider a credit freeze: A credit freeze prevents access to your credit report unless you specifically authorize it. Credit freezes are free and last until you remove them. Although freezing credit on your accounts may initially seem like a drastic measure, according to the Identity Theft Resource Center (“ITRC”), it is the “most effective way to prevent a new credit/financial account”. “However, the ITRC reports that only 3% of consumers whose information is leaked freeze their accounts. Once a credit freeze is in place, you can temporarily lift it if you need to apply for any type of credit.

  5. Monitor your credit report and financial accounts regularly: Protecting yourself in the wake of a data breach is not a one-time job. You should constantly monitor your credit report and all financial accounts, keeping an eye out for any signs of unauthorized activity or fraud. You may also consider calling your banks and credit card companies to report that your information has been compromised in a data breach.