What is Being Done About the Ciox Vendor Email Breach
Ciox stated online that they began the process of notifying their healthcare providers between November 23 and December 30, 2021. They have also been working with providers to notify affected individuals. Breach notification is required as part of complete HIPAA compliance.
Ciox clarified that the employee whose email account was involved, “did not have direct access to any healthcare provider’s or facility’s electronic medical record system.”
Providers Affected by the Ciox Vendor Email Breach
Ciox is providing notice of the email security incident to patients of the following healthcare providers:
- AdventHealth – Orlando
- Alabama Orthopaedic Specialists
- Baptist Memorial Health Care
- Butler Health Systems
- Cameron Memorial Community Hospital
- Centra Health
- Children’s Healthcare of Atlanta
- Coastal Family Health Center
- Copley Hospital
- DeSoto Memorial Hospital Health System
- Hoag Health System
- Hospital Sisters Health System
- Huntsville Hospital Health System
- Indiana University Health
- McLeod Health System
- MD Partners
- Niagara Falls Memorial Medical Center Health System
- Northern Light Mercy Hospital
- Northwestern Medicine
- Ohio State University Health System
- Prisma Health – Greenville Health System
- Prisma Health – Palmetto Health
- Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System
- Trinity Health – Holy Cross Hospital
- Trinity Health – Mount Carmel Health System
- Trinity Health – Saint Alphonsus Health System
- Trinity Health – St. Francis Medical Center
- Trinity Health – St. Joseph Mercy Health System
- Union Hospital Healthcare System
- Women’s Health Specialist
Takeaways From the Ciox Vendor Email Breach
The Department of Health and Human Services “Wall of Shame” lists breaches affecting more than 500 patients. However, as of January 6, 2022, there was no breach reported for Ciox.
The HIPAA Breach Notification Rule requires that all breaches must be reported to the affected parties within 60 days of discovery and that breaches affecting more than 500 patients must be reported to HHS and the media. Failure to do so can result in substantial fines.
Business associates like Ciox must be HIPAA compliant to do business with healthcare providers and other covered entities. Signed business associate agreements can help shield providers from the regulatory penalties that could result from a breach.
As breaches like this become more commonplace, both business associates and providers should be certain that they have comprehensive HIPAA compliance strategies tailored to their business. If you have questions or concerns about your HIPAA compliance, talk to one of our experts at Compliancy Group.