Cyber Incident Victim: JailBreak
Date:
Feb 2021
Location:
United States of America
Summary
A ransomware attack targeting healthcare administrative services provider CaptureRx compromised patient data across multiple U.S. healthcare institutions, including hospitals and pharmacies. The breach exposed sensitive information such as names, birth dates, prescription details, and medical record numbers, affecting thousands of individuals. Attackers exfiltrated data after exploiting system vulnerabilities, prompting notifications to impacted providers and patients. The incident underscores healthcare sector vulnerabilities, where attackers leverage critical operational dependencies and immutable personal data to pressure organizations into paying ransoms. Experts highlighted broader risks from third-party software supply chain weaknesses and ransomware-as-a-service models enabling such attacks. Regulatory investigations into potential HIPAA violations followed the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 6, 2021, CaptureRx, a San Antonio-based healthcare administration company providing medication-related services, detected unusual activity involving certain electronic files. The company initiated an investigation, confirming by February 19 that unauthorized actors had accessed and exfiltrated patient data files. The compromised information included patient names, dates of birth, prescription details, and medical record numbers. The breach impacted multiple healthcare providers utilizing CaptureRx’s administrative services across the United States. Affected entities included UPMC Cole and UPMC Wellsboro hospitals in Pennsylvania, Faxton St. Luke’s Healthcare and Lourdes Hospital in New York, Gifford Health Care in Vermont, and multiple Thrifty Drug Store locations. Specific patient exposure figures were confirmed for some providers: 17,655 patients at Faxton St. Luke’s, 6,777 at Gifford Health Care, and 7,400 across UPMC Cole and UPMC Wellsboro. The total number of affected patients and healthcare providers remained undisclosed, though the breach necessitated coordinated notifications across multiple states.
Between March 30 and April 7, 2021, CaptureRx notified all impacted healthcare providers and collaborated with them to inform affected individuals. Patients were advised to monitor their accounts for suspicious activity resulting from the theft of unalterable personal data, including information frequently targeted for identity theft. The incident triggered breach notifications from Faxton St. Luke’s, Gifford Health Care, and other providers to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), initiating HIPAA violation investigations. Historical precedents indicated potential financial penalties, exemplified by 2020 fines of $1.5 million and $1.04 million against Athen Orthopedic and LifeSpan Health System for similar breaches. The ransomware attack disrupted prescription-related administrative services, though no direct treatment interruptions were cited in this incident, contrasting with contemporaneous attacks like the one on Elekta, which delayed cancer radiation treatments. CaptureRx’s breach underscored supply chain vulnerabilities affecting third-party healthcare vendors handling sensitive patient data.