Ransomware attack on healthcare admin company CaptureRx exposes multiple providers across United States

Faxton St. Luke’s Healthcare in New York, Randolph, VT-based Gifford Health Care and Thrifty Drug Stores are just a few of the victims.
Written by Jonathan Greig, Contributor

Multiple healthcare providers across the United States are reporting being impacted by a ransomware attack on CaptureRx, a San Antonio-based company providing drug-related administrative services.

At least three healthcare-related institutions -- including UPMC Cole and UPMC Wellsboro in Pennsylvania, Lourdes Hospital and Faxton St. Luke's Healthcare in New York, Gifford Health Care in Randolph, Vermont and a number of Thrifty Drug Stores -- have reportedly had the health information of customers or patients exposed and stolen in the breach. 

The HIPAA Journal reported that at least 17,655 patients at Faxton St. Luke's Healthcare, 6,777 patients at Gifford Health Care, and 7,400 at UPMC Cole and UPMC Wellsboro had their information accessed by the cyberattackers, but it is still unclear how many total patients were exposed and how many CaptureRx customers were affected. 

In a statement, CaptureRx said its team began investigating its systems after someone noticed "unusual activity involving certain of its electronic files" on February 6. By February 19, the company confirmed that patient files, including names, dates of birth, prescription information and medical record numbers, were accessed and stolen. 

From March 30 to April 7, the company began notifying all of the healthcare providers that had been breached and worked with the companies to contact everyone whose information had been stolen. The company statement urges those affected to monitor their accounts for any unexpected activity. 

Justin Fier, director of strategic threat and analysis at cybersecurity company Darktrace, said the healthcare sector will remain a prime target for ransomware attacks not only because of the vast amount of personal, and often sensitive, medical data available, but also because healthcare systems simply cannot afford downtime -- meaning organizations like CaptureRx are more likely to pay a ransom. 

Fier added that the emergence of open-source tools and ransomware-as-a-service providers available on the dark web are spurring the increasing frequency of attacks in 2021, noting the recent attack on Swedish radiology software provider Elekta, which affected over 42 U.S. healthcare sites while also preventing cancer patients from receiving necessary radiation treatment. 

Many cybersecurity experts noted that healthcare organizations are particularly ripe targets for ransomware gangs because they carry troves of patient data that can be sold on the dark web or effectively sold back to healthcare organizations for ransom. Healthcare organizations also carry data that cannot be changed, like SSNs and other personal information. 

Flashpoint senior director of intelligence Ian Gray explained that some of the publicly reported high-profile attacks from the past year indicate that larger providers with thousands of downstream providers may have a higher willingness to pay to decrypt the data, or prevent it from being leaked on a ransomware site. 

Any breaches of personal health care information violate parts of HIPAA and generally trigger investigations by the U.S. Government's Office of Civil Rights, according to Garret Grajek, CEO of YouAttest. Grajek added that in 2020, both Athen Orthopedic and LIfeSPan Health System were fined $1.5 million and $1.04 million respectively following breaches.

Ransomware became such a problem for healthcare organizations in 2020 that the Center for Internet Security began offering a no-cost ransomware protection service for private hospitals in the U.S. that may not be able to afford a robust cybersecurity service. 

Saumitra Das, CTO at cybersecurity firm Blue Hexagon said the CaptureRx attack highlights the impact of the software supply chain. 

"Not only can you be breached due to a software you installed with high privilege internally (e.g Solarwinds) but you can also be breached due to your partners who handle your data being breached," Das said. 

"Organizations need to look very closely at all their partners who have access to their important data, verify their security practices, and work with the least privilege when possible."

Editorial standards