Lessons from the CaptureRx Disaster

What’s worse than a HIPAA investigation and penalties from the Office for Civil Rights (OCR)?

A class action lawsuit in federal court with multiple plaintiffs and their determined lawyers is worse. Right now CaptureRx and the multiple covered entities they serve are in the glaring spotlight of multiple class actions across the U.S. after CaptureRx suffered a major data breach earlier this year.

CaptureRx is a supply chain business partner for multiple healthcare providers and is required to follow HIPAA. This week on their website they listed 150 healthcare provider customers also affected by the breach.

At least three large lawsuits are pending against CaptureRx, which provides healthcare technology and administrative services to hundreds of U.S. hospitals and other clients across the country. When we first reported about the massive data breach in May, there were almost 1.7 million individuals affected. Now it appears the number has grown to 2.4 million. With numbers that high, lawsuits usually follow.

The latest lawsuit, seeking class action status, was filed last week in federal court in Texas.

Although HIPAA does not provide a right to sue, creative lawyers use concepts like negligence and breach of contract, and state laws, and claim the defendants violate a professional standard of care set by HIPAA.

Lawsuits are Public, Expensive and Grueling

OCR investigations are a cakewalk compared to a lawsuit. An investigation happens behind the scenes, and nothing becomes public unless the investigation ends with a settlement agreement (and usually payment of fines). OCR’s mission is to increase compliance, so they also offer technical assistance to the investigated parties who cooperate. None of this is publicized by the regulators during the process. An investigation can be difficult and time-consuming, but most of them end amicably without a public settlement.

The mission of plaintiffs’ lawyers is profit – they want to prove damages and get the largest amount possible, whether as a judgment or a settlement. The minute a lawsuit is filed, the allegations become public. Anyone can pay a minor fee and obtain copies of the complaint which lists all the grievances, all the wrongs and alleged bad behavior of the defendant.

Lawsuits are Tough on Reputations

The complaint against CaptureRx alleges that the company’s “egregious failure” to exercise reasonable care and use commercially reasonable security measures allowed “ill-intentioned criminals” to access the personally identifiable information and protected health information of patients.

The complaint goes on to say that the individuals whose information was exposed “face the imminent, certainly impending and substantially heightened risk of identity theft, fraud and further misuse of their personal data”. The lawsuit notes that CaptureRx did not offer to provide victims with free credit monitoring or identity protection services. Another class action lawsuit is pending against CaptureRx in a California federal court with similar dramatic language.

According to the plaintiff’s lawyers, CaptureRx is guilty of negligence and should pay actual, nominal, statutory and consequential damages. They also ask for a court order requiring CaptureRx to implement “adequate security practices consistent with law and industry standards to protect its users’ PII (personally identifiable information) and PHI (protected health information).”

Key Takeaways from CaptureRx Litigation

  • Healthcare cyber attacks have become routine, and now class action lawsuits against companies that experience large healthcare data breaches are also becoming routine.
  • CaptureRx is a supply chain provider and its covered entity customers whose data was stolen were unsuspecting and unknowing victims – some are now defending lawsuits.
  • Even though the size of the CaptureRx breach is massive involving 2.4 million individuals, it also involves a number of smaller covered entities, each of which provided services using CaptureRx to a much smaller number of individuals.
  • It is essential that covered entities perform due diligence on business partners with which they share PHI to confirm that the business partner is complying with HIPAA.
  • HIPAA compliance is a blueprint to protect your organization and your patients.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2024 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU