Cyber Incident Victim: CIOX Health
Date:
Jun 2021
Location:
United States of America
Summary
A healthcare data management company experienced a cybersecurity breach when unauthorized actors compromised an employee's email account over a multi-day period, potentially accessing sensitive patient information. The exposed data included names, provider details, birthdates, service dates, and limited instances of Social Security numbers, driver's license information, health insurance details, and clinical treatment records. The incident impacted nearly 12,500 individuals across multiple healthcare provider clients. Following internal reviews, the organization notified affected healthcare partners and implemented enhanced email security measures alongside additional employee cybersecurity training to mitigate future risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The incident at Ciox Health began on June 24, 2021, when an unauthorized individual gained access to a company employee’s email account. This unauthorized access persisted until July 2, 2021, during which the threat actor potentially downloaded emails and attachments associated with the compromised account. Ciox Health discovered the breach during a subsequent review of the account contents, confirming on September 24, 2021, that sensitive patient information had been exposed. The compromised data primarily stemmed from billing inquiries and customer service requests stored within the affected email account. Exposed information included patient names, provider names, dates of birth, and dates of service. In limited cases, social security numbers, driver’s license numbers, health insurance details, and clinical or treatment information were also accessed. The breach impacted individuals associated with Ciox Health’s healthcare provider clients, though the company emphasized that the exposure of highly sensitive data occurred only in "very limited instances."
Ciox Health initiated its response by notifying healthcare provider customers of the security incident starting November 23, 2021. The company filed an official breach report with the U.S. Department of Health and Human Services’ Office for Civil Rights on December 30, 2021, categorizing the event as a hacking/IT incident affecting 12,493 individuals. Public disclosures were issued on behalf of 32 healthcare providers, including notable entities such as Children’s Healthcare of Atlanta and Indiana University Health. As part of remediation efforts, Ciox Health committed to strengthening email security protocols and implementing enhanced cybersecurity training for employees. The organization stated these measures aimed to prevent future incidents but did not disclose specific technical controls or forensic findings regarding the attacker’s methods or point of entry beyond the compromised email account. No ransomware involvement or data misuse was reported in the available disclosure.