CaptureRx Ransomware Attack Affects Multiple Healthcare Provider Clients and 1,919,938 Individuals

NEC Networks, dba CaptureRx, a San Antonio, TX-based provider of 340B administrative services to healthcare providers, has suffered a ransomware attack in which files containing the protected health information of customers’ patients were stolen.

The security breach was detected on February 19, 2021, with the investigation confirming unauthorized individuals had accessed and acquired files containing sensitive data on February 6, 2021. A review of those files was completed on March 19, 2021 and affected healthcare provider clients were notified between March 30 and April 7, 2021.

CaptureRx has since been working with the affected healthcare providers to notify all individuals affected. The types of data exposed and acquired by the attackers was limited to names, dates of birth, prescription information and, for a limited number of patients, medical record numbers.

CaptureRx had security systems in place to ensure the privacy and security of healthcare data, but the attackers had managed to bypass those protections. Following the attack, policies and procedures were reviewed and enhanced and additional training has been provided to the workforce to reduce the risk of any further security breaches.

It is currently unclear how many of its healthcare provider clients have been affected, although it appears from the breach report submitted to the Maine Attorney General that the breach has affected 1,919,938 individuals. The incident is showing on the HHS breach portal as affecting 1,656,569 individuals. The difference in the two figures is due to some affected healthcare clients reporting the breach rather than NEC networks.

Healthcare clients affected by the ransomware attack include:

  • NYC Health + Hospitals, NY – 43,727 patients.
  • The Mohawk Valley Health System affiliate, Faxton St. Luke’s Healthcare, NY – 17,655 patients.
  • Catholic Health System – St. Mary’s and Sisters of Charity Hospitals, NY – 17,002 patients
  • Jordan Valley Community Health Center, MO – 12,000 patients
  • Familycare Inc, WV – 9,584
  • Trinity Health System – Twin City, OH – 9,579 patients
  • Jones Memorial Hospital, NY – 8,962 patients
  • Hudson Headwaters Health Network, NY – 8,100 patients
  • UPMC Cole, PA – 7,376 patients
  • Gifford Health Care, VT – 6,777 patients
  • Neighborhood Family Practice, OH – 6156 patients
  • Ascension St. Joseph Hospital, MI – 5,807 patients
  • Brownsville Community Health Center, TX – 4,200+ patients
  • TidalHealth Peninsula Regional, DE – 4,070
  • Thrifty Drug Stores (Thrifty White) – 3,958 patients
  • Hidalgo Medical Services, NM – 2,179 patients
  • Coplin Health Systems, WV – 2,164 patients
  • Tiburcio Vasquez Health Center, CA- 2,042 patients
  • St Lawrence Health – Massena Hospital, NY – 1,897 patients
  • Our Lady of Lourdes Memorial Hospital, NY – 1,745 patients
  • Ascension Standish Hospital, MI – 1,705 patients
  • Williamson Health and Wellness Center, WV – 1,688 patients
  • Moses Lake Community Health Center, WA – 1,190 patients
  • HopeHealth, SC – 963 patients
  • Adirondack Health, NY – 800 patients
  • Kaleida Health, NY – 600 patients
  • Bayhealth Medical Center, DE – 565 patients
  • etroHealth System, OH – Unknown
  • ECHO Community Healthcare, IN – Unknown
  • Marshall Medical Center, CA – Unknown
  • Tiburcio Vasquez Health Center, CA – Unknown
  • Walmart – Unknown

CaptureRx said the investigation into the breach has not uncovered evidence to suggest any actual or attempted misuse of data stolen in the attack; however, affected individuals have been advised to monitor their account and explanation of benefits statements for signs of fraudulent activity.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.