On November 22, 2021, UPMC’s vendor Ciox Health notified UPMC that an unauthorized person accessed one Ciox employee’s email account between June 24, 2021, and July 2 which affected 1,901 unique UPMC patients’ identifiable health information. Ciox’s full notification (also found at www.cioxhealth.com/notice-of-email-security-incident/) is posted below:
Ciox Health is working with our customers to notify individuals whose information may have been involved in an incident involving unauthorized access to a Ciox employee’s email account. Ciox is posting this notice on behalf of multiple healthcare providers.
An unauthorized person accessed one Ciox employee’s email account between June 24, 2021, and July 2, 2021, and during that time may have downloaded emails and attachments in the account. Ciox reviewed the account’s contents to determine whether sensitive information was contained in the account. On September 24, 2021, Ciox learned that some emails and attachments in the employee’s email account contained limited patient information related to Ciox billing inquiries and/or other customer service requests. The review was completed on November 2, 2021.
Between November 23, 2021, and December 30, 2021, we began the process of notifying our healthcare provider customers of this incident. Since then, we have worked with the providers to notify the affected individuals whose information was identified by the review.
The information involved included patient names, provider names, dates of birth, and/or dates of service. In very limited instances, the information involved may have also included Social Security numbers or driver’s license numbers, health insurance information, and/or clinical or treatment information.
It is important to note that the Ciox employee whose email account was involved did not have direct access to any healthcare provider’s or facility’s electronic medical record system.
Ciox takes the privacy and confidentiality of the information it maintains very seriously, and we continuously evaluate our security procedures against industry best practices. To help prevent something like this from happening again, we have and will continue to identify opportunities to implement additional procedures to further strengthen our email security, including by providing enhanced cybersecurity training to our employees. We also have been working with our customers to notify individuals whose information was contained in the email account.
While the investigation did not find any instances of fraud or identity theft that have occurred as a result of this incident, out of an abundance of caution, beginning December 30, 2021, Ciox will be working with our customers to notify patients whose information was reflected in the emails and/or attachments and for whom we had sufficient contact information. We are also providing resources involved individuals can use to help protect their information, including complimentary credit monitoring and identity protection services to the limited number of individuals whose Social Security numbers or driver’s license numbers were involved in this incident.
Ciox believes that the account access occurred for purposes of sending phishing emails to individuals unrelated to Ciox, not to access patient information. However, as a precaution, Ciox recommends individuals review statements received from their healthcare providers and health insurers. If they see charges for services they did not receive, they should contact the provider or insurer immediately.
Ciox has also established a dedicated, toll-free call center for questions about this incident. The call center may be reached at (855) 618-3107 Monday through Friday, between 9:00 a.m. and 6:30 p.m., Eastern Time, excluding some major U.S. holidays.