CaptureRx Facing Multiple Class Action Lawsuits Because of the Ransomware Attack Affecting 2.4 Million Patients

CaptureRx, the healthcare administrative services provider is confronting multiple class-action lawsuits for not being able to secure patient information, which was acquired by unauthorized people in a February 2021 ransomware attack.

NEC Networks, dba CaptureRx, gives IT solutions to hospitals to help them handle their 340B drug discount services. By providing those solutions, CaptureRx receives the protected health information (PHI) of patients.

About February 6, 2021, CaptureRx discovered suspicious activity in areas of its IT systems, like file encryption. The investigation affirmed that files comprising the PHI of 2,400,000 or higher patients were exposed in the attack.

CaptureRx stated in its breach notice that all policies and procedures are being evaluated and improved and more employees training is being carried out to minimize the probability of identical future occurrence. Impacted persons were instructed to stay cautious against occurrences of identity theft and scam, to examine account statements and explanation of benefits forms, and to keep track of free credit reports for suspicious transactions and to identify errors.

On July 21, 2021, plaintiff Michelle Rodgers submitted a legal case in the U.S. District Court for the Western District of Texas. Rodgers is ARcare’s patient in Augusta, AR, whose personal data and PHI were breached in the attack.

Rodgers, and the class members, assert that CaptureRx was at fault for not implementing and maintaining reasonable safety measures and had not conformed with industry-standard data security procedures to make sure the privacy of their PHI, violating federal and state regulations. The plaintiff and class members want monetary damages and injunctive and declaratory relief.

The same lawsuit had earlier been filed in the District Court for the Western District of Texas naming Mark Vereen as plaintiff, which identifies NEC Networks, CaptureRx, and Midtown Health Center in Los Angeles as defendants. The lawsuit claims the defendants were responsible for not taking the required steps to avoid a data breach, the risk of which ought to have been known. The plaintiffs in that legal action claim they are in danger harm that might be long-term and serious,” which may continue for many years, and that the defendants violated the Federal Trade Commission regulations and HIPAA. The lawsuit foresees more than $5 million in losses.

A Missouri resident filed a legal case in federal court in Kansas City on behalf of all residents in Missouri affected by the breach, seeking a minimum of $5 million in damages.