Cyber Incident Victim: University of Pittsburgh Medical Center
Date:
Feb 2021
Location:
United States of America
Summary
A ransomware attack targeting healthcare administrative services provider CaptureRx compromised sensitive patient data across multiple U.S. healthcare institutions, including UPMC facilities. The breach exposed personal and medical information such as names, birth dates, prescription details, and medical record numbers for thousands of patients, with over 7,400 individuals affected at two UPMC locations alone. Unauthorized access occurred after attackers exploited vulnerabilities in CaptureRx's systems, leading to data theft. The company notified impacted healthcare providers, who subsequently alerted affected patients to monitor for misuse of their information. The incident highlighted risks associated with third-party vendors handling protected health data and underscored broader cybersecurity challenges facing the healthcare sector due to the high value of unalterable patient records and operational criticality that incentivizes ransomware payments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 6, 2021, CaptureRx detected unusual activity involving certain electronic files within its systems, prompting an immediate investigation. The San Antonio-based healthcare administrative services provider confirmed by February 19 that unauthorized actors had accessed and exfiltrated patient data files during the incident. The compromised information included patient names, dates of birth, prescription details, and medical record numbers. Between March 30 and April 7, CaptureRx notified affected healthcare provider clients across multiple states, including UPMC Cole and UPMC Wellsboro in Pennsylvania, which reported 7,400 impacted patients. Other confirmed affected entities included Faxton St. Luke’s Healthcare (17,655 patients), Gifford Health Care (6,777 patients), Lourdes Hospital, and multiple Thrifty Drug Store locations. CaptureRx collaborated with these providers to initiate patient notifications, advising individuals to monitor their accounts for suspicious activity. The total number of compromised patients across all CaptureRx clients remained undetermined at the time of reporting.
The ransomware attack disrupted prescription-related administrative services for numerous healthcare organizations, exposing vulnerabilities in third-party healthcare vendor ecosystems. Cybersecurity experts noted the incident exemplified broader targeting patterns, with attackers exploiting healthcare providers’ reliance on administrative partners handling sensitive data. The breach triggered mandatory HIPAA violation investigations by the U.S. Department of Health and Human Services’ Office for Civil Rights, following established enforcement precedents such as 2020’s $1.5 million settlement with Athen Orthopedic. Industry analysts observed that healthcare entities remain prime ransomware targets due to the combination of immutable personal data, high-value medical records, and operational criticality that increases pressure to restore systems rapidly. The incident occurred amid heightened sectoral awareness following attacks like the February 2021 Elekta breach that disrupted radiation therapy for cancer patients across 42 U.S. sites. CaptureRx’s breach underscored systemic supply chain risks, with cybersecurity professionals emphasizing the need for rigorous vetting of third-party vendors’ security practices.