CaptureRx to Consider Filing For Bankruptcy if $4.75M Settlement Not Approved

February 16, 2022 - CaptureRx CEO Chris Hotchkiss said the company would “strongly consider” filing for bankruptcy if a $4.75 million settlement to resolve multiple class-action lawsuits resulting from a 2021 data breach that impacted 2.4 million individuals is not approved. The incident was one of the largest healthcare data breaches of 2021.

Texas-based CaptureRx assists hospitals with managing their 340B drug program, which aims to help patients get prescription drugs at a lower cost. In February 2021, CaptureRx, also known as NEC Networks, discovered malicious activity on its IT network that resulted in data encryption and exfiltration.

CaptureRx first notified only 1.2 million individuals that their protected health information (PHI) was part of the breach, but further investigation revealed millions of additional victims. At least 17 healthcare organizations later reported breaches tied to CaptureRx to HHS, including MetroHealth System, Walmart, Catholic Health, and Trinity Health System.

In the wake of the cyberattack, 10 lawsuits were brought against CaptureRx, most of which alleged negligence, invasion of privacy, and improper data protection measures. CaptureRx denied all wrongdoing.

The proposed $4.75 million settlement aims to resolve all of them. If approved, breach victims will be entitled to a payment of $25, and California subclass members will be eligible for an additional $75 to account for California privacy laws.

CaptureRx will also be given 90 days to “further develop, implement, and maintain a comprehensive information security program that is reasonably designed to protect the security, integrity, and confidentiality of personal Information that CaptureRx collects or obtains from patients,” the document stated.

The approval hearing for the settlement has not yet been set. But Hotchkiss stated that if litigation continues, CaptureRx may be on the brink of bankruptcy.

“CaptureRx is not a large national or multinational company and has limited resources,” Hotchkiss said.

“CaptureRx has a wasting insurance policy related to this case. The insurer is making a substantial contribution to the settlement but based on its policy limits – the amount covered is less than half of the total settlement.”

Hotchkiss also revealed that CaptureRx’s owners would be paying for part of the settlement with their own money.

“CaptureRx faces demands for indemnity from numerous customers, that were also named as Defendants in the class action cases, that have and continue to put severe financial strain on the company,” he continued.

“If the subject class action litigation does not settle, CaptureRx will strongly consider filing for bankruptcy.”

CaptureRx is the latest in a string of organizations that recently settled cases stemming from healthcare data breaches.

Inmediata Health Group recently reached a $1.13 million settlement to resolve a class-action lawsuit surrounding a 2019 data breach. The lawsuit alleged that the healthcare clearinghouse failed to secure PHI. The data breach impacted nearly 1.6 million patients.

Excellus and Blue Cross Blue Shield Association also recently settled in a class-action lawsuit resulting from a 2015 data breach that impacted 10.5 million people. If approved, Excellus will have to pay upwards of $4 million and take steps to remedy noncompliance.