Lawsuits Against CaptureRx Pile Up and So Do Victim CountsAt Least 3 Lawsuits Filed So Far After Breach Affecting Millions
Another lawsuit seeking class action status was filed last week against San Antonio-based NEC Networks - which does business as CaptureRx - in the aftermath of a hacking incident that now appears to have affected several dozen of the vendor's healthcare clients and at least 2.4 million individuals.
The new lawsuit, filed last week in a Texas federal court, joins at least two other lawsuits filed in recent weeks in the aftermath of the hacking incident, says regulatory attorney Paul Hales of the Hales Law Group, who is not involved in the legal actions.
"I expect all federal CaptureRx cases to be consolidated … in one district court for pretrial proceedings," he says. "This will quickly become a legal free-for-all with plaintiffs’ counsel competing to be selected as interim class counsel and defendants’ counsel unleashing a bevy of pretrial motions. A key question in each of the class actions is whether members have standing to bring the lawsuit. They must be able to show they suffered concrete harm, not speculative future harm."
Growing Victim Count
CaptureRx, which provides healthcare technology and administrative services to hundreds of U.S. hospitals and other clients, said in its breach notification statements that the hacking incident, which involved "unusual activity involving certain electronic files," exposed patient names, dates of birth and prescription information.
The company has warned affected individuals to "remain vigilant against incidents of identity theft and fraud," but so far, it has not offered affected individuals prepaid credit/ID monitoring - a point that is spotlighted in the newly filed Texas lawsuit.
CaptureRx reported the security incident to the Department of Health and Human Services on May 5 as affecting nearly 1.7 million individuals, according to HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
But the latest of several updated breach notifications that CaptureRx has filed in recent weeks with the Maine attorney general's office indicates that the breach victim tally had grown to more than 2.4 million individuals as of July 12.
On its website Monday, CaptureRx listed nearly 150 affected healthcare provider clients for which it has issued its data breach notice.
State data breach reporting and federal HIPAA breach reporting can potentially diverge from each other in victim numbers, says regulatory attorney Helen Oscislawski of the law firm Attorneys at Oscislawski LLC, who is not involved in the CaptureRx lawsuits.
"State breach reporting requirements … typically also require vendors like CaptureRx to report all of the affected lives directly to the state," she notes. But under the HIPAA Breach Notification Rule, the obligation of reporting of health data breaches to HHS falls on the covered entity, rather than the business associate providing it with services.
"The HIPAA rule requires the business associate to report such breaches of PHI to the affected covered entity only. That said, a covered entity may agree to allow its BA to file such breach reports on its behalf," Oscislawski says.
In an undated breach notice posted on its website, CaptureRx said it recently became aware of unusual activity involving some of its electronic files. "Following this, CaptureRx immediately began an investigation into this activity and worked quickly to assess the security of its systems. On Feb. 19, the investigation determined that certain files were accessed and acquired on Feb. 6, without authorization."
Between March 30 and April 7, CaptureRx began the process of notifying healthcare providers of the incident, the breach notification statement says. "Since then, CaptureRx has worked with healthcare providers to notify the affected individuals whose information was identified by the review."
CaptureRx did not immediately respond to Information Security Media Group's request for comment on the lawsuits.
The latest lawsuit against CaptureRx alleges that the company's "egregious failure" to exercise reasonable care and use commercially reasonable security measures allowed "ill-intentioned criminals" to access the personally identifiable information and protected health information of patients.
Those whose information was exposed "face the imminent, certainly impending and substantially heightened risk of identity theft, fraud and further misuse of their personal data," the lawsuit alleges.
Similarly, a proposed class action lawsuit against CaptureRx filed in a California federal court in June alleges: "Hackers can access and then offer for sale the unencrypted, unredacted PII and PHI to criminals. Plaintiff and class members face a lifetime risk of identity theft, which is heightened here by the loss of their birthdates and specific medical treatment information in the form of prescription information."
The Texas lawsuit notes that CaptureRx did not offer to provide victims with free credit monitoring or identity protection services.
The lawsuit alleges CaptureRx is guilty of negligence and seeks actual, nominal, statutory and consequential damages, as well as a court order requiring CaptureRx to implement "adequate security practices consistent with law and industry standards to protect its users’ PII and PHI."
Privacy attorney Iliana Peters of the law firm Polsinelli, who is not involved in the CaptureRx lawsuits, predicts that the current trend of large supply chain vendor and other business associate breaches is only going to continue, given the vast amounts of data such entities hold and the fact that such organizations will continue to be targets for attackers of all types.
"As such, I recommend - and in conjunction with the National Institute of Standards and Technology's cybersecurity framework version 1.1, which was revised to include vendor relationships - that entities of all types seriously consider the implications of the vendor relationships, particularly with regard to the sharing of data and applicable security controls."