Healthcare technology company CaptureRx must pay a $4.75 million settlement to resolve a class action data breach lawsuit resulting from a ransomware attack in which at least 1.9 million patients’ data was stolen.
Patients whose personal health information (PHI) is breached are at a significantly higher risk of identity theft and fraud than those whose data has been properly secured. PHI is valuable on black markets because it usually contains several data points for individuals and can easily be leveraged by bad actors with malicious intent to commit identity theft.
CaptureRx is a San Antonio-based third-party pharmacy management system that oversees inventory and financial flow of prescriptions filled at affiliated pharmacies. CaptureRx uses a Cumulus cloud-based platform and has processed more than 190 million patient encounters and over 750 million switch claims. The company works with over 500 hospitals and health centers throughout 45 states and maintains a large network of more than 3,500 partner pharmacies.
In February 2021, CaptureRx detected unusual activity relating to some of its electronic files and commenced an investigation. The investigation revealed that certain files were accessed without authorization in a ransomware attack that occurred on February 6, 2021. The breach exposed patient information including full names, dates of birth, sensitive prescription information, and, for some patients, medical record numbers, according to the CaptureRx press release.
On March 30, 2021, CaptureRx began notifying healthcare providers that it had been subject to the attack. After informing affected providers, CaptureRx worked with its clients to notify individuals whose data was flagged in the investigation as stolen. CaptureRx has not provided a clear figure for exactly how many patients were affected by the breach. In the report filed with the Maine Attorney General, the number of affected patients is listed as 1,919,938.
Affected healthcare providers with the largest number of patients breached include:
- NYC Health + Hospitals (43,727 patients)
- The Mohawk Valley Health System Affiliate, Faxton St. Luke’s Healthcare (17,655 patients)
- Catholic Health System – St. Mary’s and Sisters of Charity Hospitals (17,002 patients)
- Jordan Valley Community Health Center, MO (12,000 patients).
Walmart was also implicated in the breach, but the number of affected Walmart patients is unknown.
CaptureRx did maintain security systems prior to the breach, but the data thieves were able to bypass their security systems. According to the company, so far, there is no evidence to show that any actual or attempted misuse of the data has occurred.
Despite not admitting any legal wrongdoing, CaptureRx agreed to the $4.75 million settlement to benefit a nationwide class of consumers whose data was breached. The settlement also includes a California subclass of the same consumers who were California residents at the time of the breach notification. Under the settlement terms, national class members can recover a $25 cash payment. California subclass members may receive an additional $75 payment.