CaptureRx Facing Multiple Class Action Lawsuits Over Ransomware Attack Involving PHI of 2.4 Million Patients

The healthcare administrative services provider CaptureRx is facing multiple class action lawsuits for failing to protect patient data, which was obtained by unauthorized individuals in a February 2021 ransomware attack.

NEC Networks, doing business as CaptureRx, provides IT services to hospitals to help them manage their 340B drug discount programs. Through the provision of those services, CaptureRx is provided with the protected health information of patients.

Around February 6, 2021, CaptureRx identified suspicious activity in some of its IT systems, which included the encryption of files. The investigation confirmed that files containing the protected health information of 2,400,000 or more patients were compromised in the attack.

CaptureRx said in its breach notification letters that, “all policies and procedures are being reviewed and enhanced and additional workforce training is being conducted to reduce the likelihood of a similar future event.” Affected individuals were advised to “remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits forms, and to monitor free credit reports for suspicious activity and to detect errors.”

On July 21, 2021, a lawsuit was filed in the U.S. District Court for the Western District of Texas by plaintiff Michelle Rodgers. Rodgers is a patient of ARcare in Augusta, AR, whose personal and protected health information was compromised in the attack.

Rodgers, and the class members, allege that CaptureRx was negligent for failing to implement and maintain reasonable safeguards and had not complied with industry-standard data security practices to ensure the confidentiality of their protected health information, in violation of federal and state laws. The plaintiff and class members seek monetary damages and injunctive and declaratory relief.

A similar lawsuit had previously been filed in the District Court for the Western District of Texas naming Mark Vereen as plaintiff, which names NEC Networks, CaptureRx, and Midtown Health Center in Los Angeles as defendants. The lawsuit alleges the defendants were negligent for failing to take the necessary steps to prevent a data breach, the risk of which should have been well-known. The plaintiffs in that lawsuit allege they are at risk harm that could be “long lasting and severe,” which “may continue for years,” and that the defendants violated the Federal Trade Commission regulations and HIPAA. The lawsuit sees over $5 million in damages.

A lawsuit has also been filed by a Missouri resident in federal court in Kansas City on behalf of all Missouri residents affected by the breach, seeking at least $5 million in damages.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.