Tech Vendor Email Breach Affects Dozens of Health EntitiesIncident Is Latest Reminder of Business Associate Security Risks
This article has been updated.
A healthcare technology vendor is notifying dozens of its healthcare provider clients of an email security breach affecting their patients' protected health information. Experts say the incident serves as the latest reminder of the risks business associates pose to sensitive healthcare data.
In a notice posted on its website, Ciox Health, an Alpharetta, Georgia-based healthcare information management vendor, says that between Nov. 23 and Dec. 30, 2021 it began the process of notifying healthcare provider customers of an email compromise last summer affecting some of their patients' PHI.
Ciox in the notice also included a list of about 32 healthcare providers affected by the incident.
The affected entities include a wide range of different types of healthcare providers, including medical specialty practices such as Alabama Orthopaedic Specialists; community hospitals, such as Cameron Memorial Community Hospital; regional medical centers including Niagara Falls Memorial Medical Center; and large university-affiliated health delivery networks, including Ohio State University Health System.
Business associates and other vendors have been at the center of many major recent health data breaches.
The Department of Health and Human Services' HIPAA Breach Reporting Tool website on Wednesday showed that of the 698 major health data breaches affecting 45.1 million individuals posted to the site in 2021, 245 incidents affecting more than 21.1 million involved business associates.
That means business associates were involved in about 35% of all major health data breaches posted so far on the HHS site in 2021, but those vendor incidents were responsible for nearly 47% of the individuals affected.
In its notice, Ciox says an unauthorized person accessed one Ciox employee’s email account between June 24 and July 2, 2021, potentially downloading emails and attachments contained in the account.
Ciox Health says that on Sept. 24, it learned that some emails and attachments in the compromised employee’s email account contained "limited" patient information related to Ciox billing inquiries and other customer service requests. The review was completed on Nov. 2, Ciox says.
"Since then, we have worked with the providers to notify the affected individuals whose information was identified by the review," Ciox says.
Information contained in the compromised email account included patient names, provider names, dates of birth, and/or dates of service, Ciox says. In addition, in some limited instances, information affected also included Social Security numbers or driver’s license numbers, health insurance information, and/or clinical or treatment information, the statement says.
"It is important to note that the Ciox employee whose email account was involved did not have direct access to any healthcare provider’s or facility’s electronic medical record system," Ciox says.
"Ciox believes that the account access occurred for purposes of sending phishing emails to individuals unrelated to Ciox, not to access patient information," the notice adds.
More Entities Affected?
Beyond the list of affected healthcare providers named on Ciox's website, some additional entities have also separately begun notifying their patients that they too were affected by the Ciox incident.
For instance, UVA Health in a Dec. 3 public notice, said 429 patients of its UVA Medical Center in Charlottesville, Virginia and UVA Culpeper Medical Center in Culpeper Virginia were affected by the Ciox Health incident.
Ciox did not immediately respond to Information Security Media Group's request for additional details about the incident, including the total number of clients affected.
The HHS OCR HIPAA breach reporting site shows that Ciox reported the email hacking incident on Dec. 30 as affecting nearly 12,500 individuals.
So, what steps can covered entities take to help better prevent their patients' PHI falling victim to vendor breaches, including those involving email compromises?
"One of the fundamental steps is to know who your business associates and vendors are. Once a covered entity has developed a comprehensive inventory, it can begin to understand the type, movement, and access to its data," says Dawn Morgenstern, who leads vendor risk management services at privacy and security consultancy Clearwater.
Another step is to assess vendors to understand where there are gaps and risks to their security posture, she suggests. "Assessments can provide valuable information regarding the business associate's training program, compliance, and security controls implemented," she advises.
Also among the most critical measures that healthcare providers can take are having a comprehensive business associate agreement and "obtaining reasonable assurances by creating a one-page attestation," says regulatory attorney Rachel Rose.
That attestation should accompany the business associate agreement, and include several critical questions and components, she suggests.
Rose recommends that attestations include a statement about "truthfulness" and a signature line - plus, these questions:
- Does your organization require annual training for workforce members?;
- Do you undergo an annual risk analysis to evaluate the requisite technical, administrative, and physical safeguards?;
- Do you have business associate agreements in place with all required persons?;
- Is your data encrypted both at rest and in transit?
"This way, a healthcare provider not only has reasonable assurances obtained to hand over to the HHS Office for Civil Rights or another government agency, but in the event of a business associate breach, if the business associate was untruthful, it could provide the healthcare provider with additional legal recourse," Rose says.
“In addition to ongoing awareness training and deploying software, choosing the right IT and other business partners is crucial, as well as staying abreast of new types of attacks," she says.
Morgenstern urges organizations to stay vigilant. "Too often, covered entities and business associates think that once they address an incident or breach, they are done. Wrong. Bad actors are always looking for ways to exploit vulnerabilities and they continually change their methods and levels of sophistication," she says.
Covered entities should continually monitor industry trends, assess/reassess their business associate/vendor relationships, and keep leadership and their board informed about any potential risks, she says.
"Cybersecurity is an ongoing process that requires adequate resources to combat the threats and vulnerabilities."
For its part, Ciox in its statement says that to help prevent future similar incidents, it is evaluating implementing additional procedures to strengthen its email security, including providing "enhanced cybersecurity training" to employees.