HIPAA Horror Stories

Capture Rx Breach Climbs to More than a Million

one-minute read

One hacking incident at a vendor under contract with multiple healthcare providers can mushroom fast. By May 5, 2021, when Capture Rx, a San Antonio company and HIPAA business associate notified the Office for Civil Rights (OCR) about a February data breach, the number of individuals had soared to 1,656,569.

Capture Rx is a Texas-based information technology company that assists numerous healthcare providers across the country manage prescription drug costs. Among its customers are Gifford Health Care of Randolph in Vermont, Mohawk Valley Health System affiliate Faxton St. Luke’s Healthcare in New York, UPMC Cole and UPMC Wellsboro in Pennsylvania, Thrifty Drug Stores (Thrift White), and many others.

On May 5 CaptureRx issued a statement that it began investigating IT systems after someone noticed “unusual activity involving certain of its electronic files” on February 6. By February 19, the company had confirmed that patient files, including names, dates of birth, prescription information and medical record numbers, were accessed and stolen. Each is an identifier of protected health information (PHI) under HIPAA.

From March 30 to April 7, the company began notifying its healthcare provider customers that had been breached and worked with them to contact those whose PHI had been stolen. Early reports showed “thousands” of individuals were affected, but the number quickly escalated.

As a Business Associate, Understand and Follow HIPAA

Although business associates usually don’t directly interact with patients, their work is essential to healthcare services. They are required to comply with HIPAA, and are separately liable for compliance. All business associates should conduct a Risk Analysis, do their Risk Management and enter a business associate agreement with covered entity customers.

Know Your Business Associates

Two of the largest breaches in the past two years have occurred at business associates. The AMCA breach in 2019 and the Blackbaud breach in 2020 both affected millions of individuals who had entrusted their protected health information  to their healthcare providers.

As a covered entity it’s critical to do your due diligence with all business associates engaged to help you provide healthcare services. It is not a guarantee, but it goes a long way to ensuring HIPAA compliance, which includes the Security Rule Checklist, to meet all requirements of the HIPAA Security Rule.

HIPAA Compliance is the Best Defense

HIPAA compliance is a blueprint for protection against cybercrime. HIPAA Risk Analysis and Risk Management requires a detailed look at your security practices and defenses. Are there daily remote backups? Is malware and adware protection in place? Do you install updates and patches? Is the workforce trained to recognize phishing and other cybercrime tactics, and are there access controls to limit who may see certain data? Risk Management also requires a contingency plan in the event a hacker gets through – if the worst happens, what your next steps?

If you have questions, ask The HIPAA E-Tool®.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU