Catholic Health Impacted by CaptureRx Data Breach, Patients’ PHI Exposed

August 13, 2021 - Catholic Health announced that the recent CaptureRx data breach is impacting some of its patients’ protected health information (PHI.)  

A total of 17,002 patients are being impacted by the data breach, according to the US Department of Health and Human Services Office for Civil Rights.  

In a press release, Catholic Health announced that patients from Mount St. Mary’s Hospital in Lewiston, New York and Sisters of Charity Hospital in Buffalo, New York, were part of the third-party pharmaceutical software vendor’s data breach which exposed patients’ PHI. CaptureRx notified the New York healthcare system on June 3, 2021, it stated.  

The two New York-based hospitals join a variety of healthcare providers from across the country that were impacted by the CaptureRx data breach. The CaptureRx ransomware breach impacted over 200 other healthcare organizations across the country. A full list of facilities impacted by the CaptureRx breach can be found here.   

“CaptureRx, a healthcare IT company based in San Antonio, Texas, provides services to help healthcare systems manage pharmaceuticals related to Medicaid and other programs,” the release notes.  

According to the press release, the data breach involved patients’ PHI, including  

The breach involved patient information, including names, dates of birth, “and prescription data, from files that were accessed on February 6, 2021. No other identifying information such as demographic, social security number or bank account information was included in the data breach,” the release notes. 

“CaptureRx immediately began an investigation into this activity and worked quickly to assess the security of its systems, conducting a thorough review of the files to determine whether sensitive information was present at the time of the incident,” the press release states. “On or around March 19, 2021, CaptureRx confirmed that private information was compromised.” 

Since the spring, the third-party vendor has been notifying its business partners impacted by the data breach.  

“As part of its ongoing commitment to information security, all policies and procedures are being reviewed and enhanced,” the Catholic Health press release notes. “Additional workforce training is being conducted to reduce the likelihood of a similar event in the future. To date, the investigation has found no evidence of actual or attempted misuse of this information as a result of this incident.” 

Kimberly Whistler, Catholic Health Corporate Compliance & Privacy Officer, states in the release that Catholic Health is committed to protecting its patients’ privacy and PHI.  

“We go to great lengths to protect the privacy of our patients and any information related to their care,” Whistler says.  

Patients impacted by the CaptureRx breach have been notified by the vendor, she notes. 

PHI was exposed, but no financial information was included in the data breach, she states.  

Patients should monitor their accounts and credit information as a precaution and report any suspicious activity or suspected identity theft to authorities, she says.  

Patients with questions or concerns can visit the CaptureRx website at https://www.capturerx.com/data-incident/ or call 1-855-654-0919, from 9am to 5pm EST, Monday through Friday.