May 28, 2021
MASSENA, N.Y. – Massena Hospital (MH), part of St. Lawrence Health, was notified on April 5, 2021, that CaptureRx, a third party business associate, experienced a data breach on February 6, 2021, that may have impacted limited protected health information (PHI) of individuals whose information was provided to CaptureRx to assist with 340B processing.
CaptureRx is a Third Party Administrator (TPA) that provides compliance and cost saving services to MH for its 340B eligible prescriptions. The 340B Program allows eligible health care providers who serve a large number of low-income patients, to purchase medications at a special discount from drug makers. Those savings can in turn be used by these eligible providers to fund services and care for their patients, and at no cost to taxpayers.
The breach included limited data on 1,897 MH patients. CaptureRx will be notifying each individual involved in the breach with a letter.
What happened? CaptureRx recently became aware of unusual activity involving certain files in its systems. Following this, CaptureRx immediately began an investigation into the activity and worked quickly to assess the security of its systems. On February 19, 2021, the investigation determined certain files were accessed on February 6, 2021 without authorization.
CaptureRx immediately began a thorough review of the full contents of the files to determine whether sensitive information was present at the time of the incident. On or around March 19, 2021, CaptureRx confirmed some information for MH patients was present in the relevant files. To date, CaptureRx is unaware of any actual or attempted misuse of PHI as a result of this incident.
What information was involved? The investigation determined at the time of the incident, the relevant files contained the following Data Elements (first name, last name, date of birth, pharmacy information, and for some patients, the Medical Record Number). Please note that while their investigation has not identified any actual or attempted misuse of the patient information, CaptureRx is directly notifying patients to ensure all those affected are aware of this incident.
What is CaptureRx doing? Data privacy and security is among CaptureRx’s highest priorities, and there are extensive measures in place to protect information in CaptureRx’s care. Upon learning of this incident, CaptureRx moved quickly to investigate and respond. This investigation and response included confirming the security of CaptureRx’s systems, reviewing the contents of the relevant files for sensitive information, and notifying business partners associated with that sensitive information. As part of CaptureRx’s ongoing commitment to the security of information, all policies and procedures are being reviewed and enhanced, and additional workforce training is being conducted to reduce the likelihood of a similar event in the future.
What patients can do. We encourage affected patients to remain alert against incidents of identity theft and fraud, to review their account statements and explanation of benefits forms, and to monitor their free credit reports for suspicious activity and to detect errors.
For More Information. You can read more about the incident on CaptureRx’s website. Impacted patients will receive a letter in the mail; additional questions can be directed to CaptureRx’s dedicated assistance line at 855.654.0919.