NewsLocal NewsCleveland Metro


Ransomware attack on MetroHealth vendor compromises patient health data; other pharmacies affected

Posted at 5:51 PM, Jun 09, 2021
and last updated 2021-06-09 19:17:11-04

CLEVELAND — A ransomware attack earlier this year on a Texas-based company could have compromised the data of an unknown number of MetroHealth patients. Based out of San Antonio, CaptureRx, a vendor for MetroHealth that helps hospitals manage their 340b drug pricing programs, said the breach was first confirmed in February and compromised the data of more than 1.6 million patients, including first and last names, dates of birth and prescriptions.

In letters to affected patients, CaptureRx said the company became aware of the unusual activity and confirmed the breach approximately two weeks after the breach occurred on Feb. 6, 2021. The company initiated a review and began notifying clients of the breach in late March. CaptureRx’s clients include dozens of hospital systems and national pharmacy and grocery chains.

In late May, more than three months after the breach, CaptureRx began mailing letters to patients whose data was compromised. Other companies including Discount Drug Mart, Rite Aid, Giant Eagle and Meijer were also listed as being affected by the data breach.

“As part of CaptureRx’s ongoing commitment to the security of information, all policies and procedures are being reviewed and enhanced and additional workforce training is being conducted to reduce the likelihood of a similar future event,” the letter reads.

No specific details were provided. It remains unclear how many MetroHealth patients had their sensitive data compromised but a CaptureRx statement provided to News 5 by MetroHealth states that the breach did not affect MetroHealth systems nor did it impact patient care. A hospital spokesperson said the health system still does business with CaptureRx.

In a statement, MetroHealth officials said the data breach at CaptureRx occurred through a vulnerability with the company's build server, which is hosted by a third party. The hackers were allowed to get credentials to the system and access the server. This access allowed the hackers to siphon the personal health data from more than a million customers, possibly more.

“The challenge is that everything is getting more online and more accessible, which means there is a greater attack surface. There are more targets,” said Alex Hamerstone, a leading cyber security expert from TrustedSec, a Strongsville-based information security consulting firm. “It really is much different than having your bank account data stolen or your credit card data stolen. Obviously, that is very impactful and you never want that to happen but it is much different when it's your personal details. You start talking about what if somebody accesses your text messages and your medical history. Those are things that are much more private than a 16 digit credit card number. It can be life changing.”

Hamerstone said health care-related data is often more valuable to hackers. When that data is compromised, consumers have few avenues of recourse compared to when financial data is compromised. Additionally, Hamerstone said there are fewer preventative measures that consumers can take to prevent their health care data from being compromised.

“When you share that data with someone else like a hospital, it’s only as secure as they keep it,” Hamerstone said. “Health data is more valuable than credit card data. One of the reasons is it is used in fraud. It allows fraudulent organization to create profiles and bill insurance companies, the government, whatever, and get paid on it.”

Hamerstone said the CaptureRx data breach highlights the troubling fact that it is not just the major companies who are targets of hackers but also the companies that those firms do business with.

“It used to be a lot of these systems. We would think they had walls around them. Now, they are much more open in the sense of data sharing and connection and things like that. It’s also much more common in that companies are outsourcing things,” Hamerstone said. “It’s what we call third, fourth and fifth party risk. The companies that you use and the companies that they use can present risk. You’re not just relying on the company you’re dealing with… you’re relying on their vendor selection. The services they use, the companies they use, etc. It really creates a much larger attack surface and more opportunities.”

In the letter sent to affected consumers, CaptureRx advises those affected by the breach to monitor their accounts closely and review their credit reports. Under federal law, consumers are entitled to one free credit report per year from each of the three major credit reporting bureaus.

Consumers also have the right to place an initial or extended fraud alert on their credit, which would require businesses to take extra steps to verify a consumer’s identity before extending new credit. Additionally, consumers can also place a freeze on their credit report, which would prevent any information in the credit report without the consumer’s direct authorization. More information can be found by visiting