3rd Party Risk Management , Governance & Risk Management , HIPAA/HITECH

More Healthcare Disruptions Tied to Vendor Incidents

Pharmacy Administration Vendor, EMR Hosting Firm Among Latest Victims
More Healthcare Disruptions Tied to Vendor Incidents
The Alpine Center for Diabetes, Endocrinology and Metabolism P.C posted a notice for patients about its EMR outage.

Two companies that serve the healthcare sector have reported disruptive cyber incidents affecting their clients, the latest in a string of similar supply chain incidents.

See Also: Reducing Complexity in Healthcare IT

The most recent incidents affected San Antonio-based CaptureRx, which provides healthcare technology and administrative services to hundreds of U.S. hospitals and others, and Dallas-based MedNetworx, which provides hosted medical software, including the Aprima electronic medical records system from CompuGroup eMDs.

Many of the largest health data breaches reported to federal regulators so far this year have involved vendors, including the attack that took advantage of vulnerabilities in the Accellion File Transfer Appliance product.

Earlier supply chain incidents involving debt collector firm American Medical Collection Agency and cloud-based fundraising software vendor Blackbaud led to dozens of health data breach reports affecting tens of millions of individuals.

In light of vendor breaches, healthcare organizations need to take extra precautions, privacy and security experts say.

"Healthcare organizations that hire these firms should take prompt action to protect themselves from the fallout, beginning with shoring up their vendor relationships," says privacy attorney David Holtzman of the consulting firm HITprivacy LLC.

CaptureRX Incident

CaptureRx says it's notifying clients that unauthorized access to certain files could have exposed patient details, such as name, date of birth, prescription information and medical records.

The company also posted a list of about 40 healthcare clients affected by the incident.

CaptureRx says an investigation determined certain files were accessed and acquired on Feb. 6 without authorization.

In addition to notifying healthcare providers affected by the incident, it is working with those clients to notify individuals whose information was contained in the files, CaptureRx says. The company did not immediately reply to an Information Security Media Group request for comment, including whether ransomware was involved.

The company says it's reviewing its policies and procedures and will provide additional workforce training.

Several healthcare organizations have issued notices about being affected by the CaptureRX incident, including Faxton St. Luke’s Healthcare, an affiliate of the Mohawk Valley Health System, which announced on May 4 that the data of more than 17,000 patients had been breached.

MedNetworx Incident

Meanwhile, the cyber incident involving Dallas-based MedNetworx affected an unspecified number of small and midsized healthcare practices that rely on MedNetworx to host the Aprima electronic medical records system from vendor CompuGroup eMDs.

In a statement to ISMG, MedNetworx says that on April 22, it experienced a network outage that resulted in a temporary disruption to its servers and other IT systems.

"Upon discovering the outage, MedNetworx immediately initiated an investigation and took steps to contain the outage including taking a significant portion of its network offline."

The company's investigation has determined that the outage was due to a security incident that involved unauthorized access by a third party to certain of its computer networks, the company says.

"The investigation into the scope of the incident, including whether data was potentially affected, remains ongoing." MedNetworx did not respond to ISMG's inquiry about whether the incident involve ransomware.

CompuGroup eMDs did not immediately respond to ISMG's request for comment on the incident.

Client Impact

In recent weeks, however, several Aprima clients have posted notices that an EMR outage had affected the practices' ability to access patient records.

For instance, the Colorado-based Alpine Center for Diabetes, Endocrinology and Metabolism posted on its website an apology to patients regarding the April 22 Aprima incident that left the practice unable to access its EMRs for more than two weeks.

A receptionist at the clinic told ISMG on Monday that its services for the EMR had just been restored.

In addition to the practice's note to patients, the clinic posted a letter it received from Derek Pickell, the CEO eMDs, the developer of Aprima.

In the message, Pickell says that its unnamed hosting vendor had recently discovered a security incident that affected its system. "They continue to work around the clock to resolve any disruptions to certain systems and operations … The goals now are to remove any malware from all systems, make sure all devices are clean and restore full functionality and data."

A spokesperson for Arthritis & Osteoporosis Center of Kentucky, another eMDs client affected by the Aprima outage, tells ISMG that access to the EMR application has been spotty and unpredictable. For instance, the practice "has access at times to patients charts and scheduling, however, it is so slow it takes us several minutes to change from one tab to another making it nearly impossible to do anything."

The spokesperson, commenting midday Monday, adds: "This morning, we had no access whatsoever, and thankfully last week we printed out the schedule for this week. We had to roll our phones over to night mode and have not been able to answer calls for weeks, instead referring them to a HIPAA-compliant email to forward their concerns."

The practice is not able to access any lab results, "or even send out any billing, which is crippling for us because, if we don’t send out claims, there is no revenue coming in for the practice," the spokesperson says.

The practice, however, is still seeing patients but cannot schedule follow-up appointments.

"It seems every day improves just a little bit, but today it looks like we have taken three steps back from Friday of last week," the spokesperson adds.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.