In January 2022, Ciox Health — a major provider of health information management (HIM) services including medi cal record retrieval, release-of-information (ROI), and coding services for hospitals nationwide — disclosed a breach affecting multiple client health systems. Affected organizations included Baptist Memorial Health Care , Butler Health Systems, Children’s Healthcare of Atlanta, Hoag Health System, and 28+ other hospital systems and health plans. Ciox processes medical records for approximately 2,000 US hospitals. Exposed data included p atient names, dates of birth, dates of service, provider names, and medical record numbers. HHS OCR received m ultiple breach notifications from affected health systems. The Ciox breach illustrated the extreme supply chai n risk of HIM services vendors that hold PHI from hundreds of hospital clients simultaneously.