CaptureRx, a San Antonio, Texas-based provider of administrative services to healthcare providers, suffered a recent ransomware attack in which files containing the protected health information (PHI) of their customers’ patients were stolen.
The security breach was detected in February. The investigation confirmed that on Feb. 6, 2021, unauthorized individuals accessed and acquired patient files containing names, dates of birth, and prescription information. Medical record numbers for a smaller number of patients were also acquired. It still isn’t clear which of CaptureRx’s healthcare provider clients were affected. Until that can be ascertained, it’s impossible to determine the total number of patients affected by the breach; but it appears the number will be in the thousands.
As I’ve stressed on several occasions, keeping your patients’ PHI secure (and your practice protected) isn’t just something that happens within your practice’s walls. If your practice is like most, it has at least a couple service providers regularly touching your patients’ PHI. Having a solid, up-to-date, fully executed Business Associate Agreement (BAA) with ALL of your service providers is paramount. It’s the only thing standing between your practice’s liability for a data breach and one of your service providers that suffers a breach affecting your patients’ data.