Thrive by IU Health

December 29, 2021

Notice of Email Security Incident

Ciox Health (“Ciox”), a vendor to IU Health, contracts with healthcare organizations to provide health information management services. Ciox places a high value on maintaining the privacy and security of the information they maintain for their customers. Regrettably, this notice concerns an incident that may have involved some of that information. While Ciox has no indication that anyone’s information has been misused, this notice explains the incident, outlines the measures they have taken in response, and steps individuals can take.

What Happened?

An unauthorized person accessed one Ciox employee’s email account between June 24, 2021 and July 2, 2021, and during that time may have downloaded emails and attachments in the account. Ciox reviewed the account’s contents to determine whether sensitive information was contained in the account. On September 24, 2021, Ciox learned that some emails and attachments in the employee’s email account contained limited patient information related to billing and/or other customer service requests. The review was completed on November 2, 2021 and confirmed the full scope of affected individuals whose information was contained in the account and the covered entities to which their information related.

Between November 23 and December 3, 2021, Ciox began the process of notifying their healthcare provider customers of this incident. Since then, Ciox has worked with IU Health to notify the affected individuals whose information was identified by the review.

What Information Was Involved?

The information involved included patient names, provider names, dates of birth, and/or dates of service. In limited instances, the information involved may have also included Social Security numbers or driver’s license numbers, health insurance information, and/or clinical or treatment information.

What Ciox Is Doing?

Data privacy and security are among Ciox’s highest priorities, and they have extensive measures in place to protect information entrusted to them. To help prevent similar incidents from happening in the future, they are implementing additional procedures to further strengthen their email security and are providing enhanced cybersecurity training to their employees. They also have been working with their customers to notify individuals whose information was contained in the email account.

What You Can Do

Ciox believes that the account access occurred for purposes of sending phishing emails to individuals unrelated to Ciox, not to access patient information. Still, they wanted to notify individuals of this incident and assure them they take this incident very seriously. As a precaution, they recommend individuals review statements received from their healthcare providers and health insurers. If they see charges for services they did not receive, they should contact the provider or insurer immediately. For the limited number of individuals whose Social Security number or driver’s license number was contained in the email account, Ciox is offering complimentary credit monitoring and identity protection services.

For More Information

Ciox began notifying affected individuals on Dec. 30, 2021 and will continue to do so as their customers provide them with contact information. For that purpose, Ciox has established a dedicated call center to answer any questions individuals have about the incident. If you believe you are affected or have questions about the incident, please call 1.855.618.3107, toll-free, Monday through Friday, between 9:00 a.m. and 6:30 p.m., Eastern Time, excluding some major U.S. holidays.