CaptureRx Data Breach Hits MetroHealth System, 16 Others

June 16, 2021 - MetroHealth System in Cleveland, Ohio, experienced a data breach connected to a vendor, CaptureRx, whose ransomware breach affected at least 16 other healthcare organizations. At MetroHealth, patient files were accessed without authorization in February, containing names, birthdates, and prescription information.

Texas-based CaptureRx assists hospitals with managing their 340B drug program, which helps patients get prescription drugs at a lower cost. In light of the data breach, CaptureRx quickly launched an investigation and changed all user passwords. They also heightened security protocols, according to a report from WOIO, Cleveland’s CBS-affiliated news station.

It is unclear how many patients from MetroHealth System were impacted, but the CaptureRx breach as a whole affected over a million patients at 17 hospitals and healthcare organizations, according to a report from Becker’s Hospital Review. Other victims include Walmart, Jones Memorial Hospital, and Trinity Twin City Hospital.

MetroHealth’s patient care and EHR systems were not impacted by the breach. CaptureRx provided affected patients with a notice of the breach and advice for securing their information.

In other data breach news, Swedish software company Elekta faced a breach that impacted multiple healthcare organizations, including the Cancer Centers of Southwest Oklahoma. Social Security numbers, addresses, birthdates, and treatment details were accessed, and the organization’s compromised system is shut down until they can ensure security.

In addition, IT security company COO Vikas Singla, was charged last week with aiding and abetting a cyberattack on Gwinnett Medical Center in Georgia conducted in 2018. Singla was charged on 18 separate counts.

As the healthcare industry struggles to recover from the COVID-19 pandemic, cybersecurity threats are ramping up. A recent FBI flash alert warned the healthcare sector that the Conti ransomware group has been targeting the healthcare sector in the past year, and organizations should be vigilant.

“Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim. The ransom letter instructs victims to contact the actors through an online portal to complete the transaction,” the flash alert warned.

“If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary widely and we assess are tailored to the victim. Recent ransom demands have been as high as $25 million.”

More healthcare leaders are speaking out about the data breaches their organizations have experienced and what lessons they have learned in the process. Sky Lakes Medical Center in Oregon was the victim of a ransomware attack in October of 2020. Sam Stewart, a networks analyst at Sky Lakes Medical Center, noted that the cyberattack at least led to the center strengthening their cybersecurity efforts in an effort to prevent future attacks.

In addition, Scripps Health president and CEO Van Gorder recently wrote an opinion piece in the San Diego Union-Tribune discussing the lessons his organization learned in the wake of a cyberattack that caused significant EHR downtime and appointment cancellations.