Notification of Possible PHI Disclosure
Jul 14, 2022
NYC Health + Hospitals began to notify approximately 50 patients about the disclosure of some of their protected health information (PHI), which occurred on or around June 24, 2021. NYC Health + Hospitals was notified of the disclosure on March 16, 2022. The incident involved a phishing attack and the exfiltration of information from the email of a former third-party vendor, CIOX Health, by a Threat Actor. The PHI included patients’ names, dates of birth, address, health insurance information, and other clinical information. For a limited number of patients, a social security number or driver’s license number was included.
There is no evidence to suggest that the PHI has been misused in any manner. On July 4, 2021 CIOX Health engaged a forensics firm to evaluate its systems for vulnerabilities, and to monitor the dark web and public websites for the presence of the PHI. The forensics firm found no evidence of the PHI on the dark web or public websites.
CIOX Health has provided information on their website regarding the incident. Affected patients are invited to visit the CIOX Health website at https://www.cioxhealth.com/notice-of-email-security-incident/.
Consistent with federal regulatory requirements, NYC Health + Hospitals will notify the Office for Civil Rights (OCR), the federal oversight agency for unauthorized disclosures of PHI.
For more information, please contact firstname.lastname@example.org.