Cyber Incident Victim: Gifford Health Care
Date:
Feb 2021
Location:
United States of America
Summary
A ransomware attack targeting healthcare administrative services provider CaptureRx compromised patient data across multiple U.S. healthcare institutions, including Gifford Health Care. The breach exposed sensitive information such as names, dates of birth, prescription details, and medical record numbers, with thousands of patients affected at each impacted provider. Attackers accessed and exfiltrated the data, prompting notifications to healthcare entities and affected individuals. The incident underscores healthcare's vulnerability to ransomware due to the critical nature of medical data and operational systems, which increases pressure to pay ransoms. Experts highlighted risks from third-party vendor vulnerabilities, emphasizing the need for rigorous security assessments of partners handling sensitive data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 6, 2021, CaptureRx, a San Antonio-based healthcare administration company providing medication-related services, detected unusual activity involving certain electronic files. The company initiated an investigation and confirmed by February 19 that unauthorized actors had accessed and exfiltrated patient data files. The compromised information included patient names, dates of birth, prescription details, and medical record numbers. CaptureRx provided administrative services to multiple healthcare providers across the United States, leading to widespread exposure. At least three healthcare institutions—UPMC Cole, UPMC Wellsboro, Lourdes Hospital, Faxton St. Luke’s Healthcare, Gifford Health Care, and several Thrifty Drug Store locations—were confirmed as affected entities. Gifford Health Care in Randolph, Vermont, reported that 6,777 of its patients had their data accessed. Faxton St. Luke’s Healthcare disclosed 17,655 affected patients, while UPMC Cole and UPMC Wellsboro confirmed 7,400 impacted individuals. The total number of patients exposed across all CaptureRx clients remained unclear.
Between March 30 and April 7, 2021, CaptureRx notified all affected healthcare providers of the breach. These providers subsequently initiated individual notifications to patients whose data was compromised, advising them to monitor accounts for suspicious activity. The incident triggered HIPAA violation investigations by the U.S. Department of Health and Human Services’ Office for Civil Rights, referencing prior enforcement actions like the $1.5 million fine against Athen Orthopedic in 2020. Cybersecurity experts cited healthcare providers’ high susceptibility to ransomware due to their reliance on uninterrupted services and the immutable nature of stored data, including Social Security numbers. The attack also underscored supply chain vulnerabilities, as third-party vendors like CaptureRx handling sensitive data became indirect vectors for compromising multiple organizations. No ransomware variant or payment demands were specified in disclosures, though the breach’s timing aligned with broader 2021 trends of escalating ransomware-as-a-service operations and attacks on critical healthcare infrastructure, such as the contemporaneous incident affecting Swedish firm Elekta that disrupted radiation therapy for cancer patients across 42 U.S. sites.