Cyber Incident Victim: Faxton St. Lukes Healthcare
Date:
Feb 2021
Location:
United States of America
Summary
A ransomware attack targeting healthcare administrative services provider CaptureRx compromised patient data across multiple U.S. healthcare institutions, including Faxton St. Lukes Healthcare. The breach exposed sensitive information such as names, dates of birth, prescription details, and medical record numbers, with unauthorized access confirmed following an investigation into unusual system activity. The incident underscores heightened risks facing the healthcare sector due to the value of unalterable personal data and systemic vulnerabilities within third-party service providers. Attackers exploited these factors to steal and potentially monetize health information, triggering breach notifications to affected organizations and their patients while highlighting supply chain security challenges in critical infrastructure sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 6 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The ransomware attack on healthcare administration firm CaptureRx, detected on February 6, 2021, compromised patient data from multiple U.S. healthcare providers, including Faxton St. Luke’s Healthcare in New York. CaptureRx initiated an investigation after identifying unusual activity involving certain electronic files. By February 19, the company confirmed unauthorized access and exfiltration of patient files containing names, dates of birth, prescription information, and medical record numbers. Between March 30 and April 7, CaptureRx notified affected healthcare providers, who subsequently began informing impacted individuals. Faxton St. Luke’s Healthcare reported that 17,655 of its patients had their data accessed and stolen in the breach. CaptureRx advised affected individuals to monitor their accounts for unexpected activity, though the total number of compromised patients across all providers remained unclear.
The incident exposed vulnerabilities in third-party healthcare data management, affecting at least six additional entities: UPMC Cole, UPMC Wellsboro, Lourdes Hospital, Gifford Health Care (impacting 6,777 patients), Thrifty Drug Stores, and Swedish radiology provider Elekta, whose breach disrupted cancer radiation treatments at 42 U.S. sites. Healthcare organizations like Faxton St. Luke’s faced mandatory breach reporting to the U.S. Office for Civil Rights under HIPAA, potentially triggering fines similar to 2020 cases where Athen Orthopedic paid $1.5 million and LifeSpan Health System paid $1.04 million for violations. Cybersecurity experts attributed healthcare’s attractiveness as a ransomware target to the high value of immutable personal data (e.g., Social Security numbers) and operational urgency that pressures providers to pay ransoms. Darktrace analyst Justin Fier noted the role of ransomware-as-a-service markets in escalating 2021 attacks, while Blue Hexagon CTO Saumitra Das emphasized supply chain risks from partners with data access. The breach underscored sector-wide challenges, prompting initiatives like the Center for Internet Security’s no-cost ransomware protection service for under-resourced U.S. hospitals.