Cyber Incident Victim: CaptureRx
Date:
Feb 2021
Location:
United States of America
Summary
A ransomware attack targeting healthcare administration firm CaptureRx compromised sensitive patient data across multiple U.S. healthcare providers, including hospitals and pharmacies. The breach exposed personal and medical information such as names, birth dates, prescription details, and medical record numbers, impacting tens of thousands of patients. Unauthorized access to files was detected during an investigation, leading to notifications for affected providers and individuals. The incident underscores healthcare sector vulnerabilities due to the high value of unalterable patient data and operational pressures that incentivize ransom payments, exacerbated by increasingly accessible ransomware tools and supply chain risks through third-party vendors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 6 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 6, 2021, CaptureRx, a San Antonio-based healthcare administration company providing drug-related services, detected unusual activity involving certain electronic files. The investigation confirmed by February 19 that unauthorized actors had accessed and stolen patient files containing names, dates of birth, prescription information, and medical record numbers. The breach impacted multiple healthcare providers across the United States, including UPMC Cole and UPMC Wellsboro in Pennsylvania, Lourdes Hospital, Faxton St. Luke’s Healthcare in New York, Gifford Health Care in Vermont, and Thrifty Drug Stores. Specific patient exposure figures were confirmed for some entities: 17,655 patients at Faxton St. Luke’s Healthcare, 6,777 at Gifford Health Care, and 7,400 across UPMC Cole and UPMC Wellsboro. The total number of affected patients and healthcare providers remained undisclosed. Between March 30 and April 7, 2021, CaptureRx notified all impacted healthcare institutions and collaborated with them to inform individuals whose data was compromised. Affected parties were advised to monitor their accounts for unexpected activity.
The incident exemplified broader vulnerabilities in the healthcare sector, which ransomware actors frequently target due to the high sensitivity of medical data and operational reliance on uninterrupted systems. Attackers exploited stolen patient information for potential resale on the dark web or ransom demands, leveraging immutable personal identifiers like Social Security numbers. The breach triggered HIPAA violation investigations by the U.S. Office for Civil Rights, recalling prior penalties such as the $1.5 million fine against Athen Orthopedic and $1.04 million against LifeSpan Health System in 2020. Concurrently, the Center for Internet Security initiated a no-cost ransomware protection service for U.S. private hospitals lacking robust cybersecurity resources. Cybersecurity analysts highlighted parallels to the Elekta attack, where ransomware disrupted cancer radiation treatments across 42 U.S. sites, underscoring operational risks beyond data theft. CaptureRx’s breach also illustrated supply chain vulnerabilities, as third-party vendors handling sensitive data became attack vectors. Industry experts emphasized the necessity for organizations to audit partner security practices and enforce least-privilege access frameworks to mitigate such risks.