CaptureRX faces bankruptcy if $4.75 million settlement in healthcare breach lawsuit not approved

A sign is displayed outside a Walmart store on November 16, 2021 in American Canyon, California. Walmart has been named a defendant in an ongoing lawsuit regarding the CaptureRX infringement. (Photo by Justin Sullivan/Getty Images)

NEC Networks, d/b/a CaptureRX, has reached an agreement with the 2.42 million patients whose data was stolen before a ransomware attack against the health sector associate in early 2021. CaptureRX provides health informatics services to a range of provider organizations.

If approved, the settlement would require CaptureRX to pay victims of the breach a total of $4.75 million. Notably, the company’s CEO released a statement as part of the proposed settlement which states that if the arrangement is not approved, “CaptureRX will seriously consider filing for bankruptcy.”

“CaptureRx has a wastage insurance policy related to this case. The insurer is making a substantial contribution to the settlement. But based on its policy limits, the amount covered is less than half of the total settlement,” said explained CEO Chris Hotchkiss in the proposal.

The company is facing “compensation claims from numerous customers, who have also been named as defendants in the class action lawsuits, who have exerted and continue to exert severe financial pressure on the company,” it said. he continued. As a result, the owners of the company are “funding part of the settlement with their own money”.

The CaptureRX incident was the fourth largest healthcare data breach last year.

The initial notice contained few details, such as when the incident was first discovered. Instead, CaptureRX began notifying 1.2 million patients in the spring of 2021 that an investigation concluded in February 2021 found that protected health information had been stolen from their network before a cyberattack.

The investigation confirmed that the threat actors accessed and exfiltrated patient data, including patient names, birth dates and prescription details. However, shortly after the CaptureRX notice was published, other vendors issued their own breach notifications, including NYC Health + Hospitals.

The hospital system discovered in May 2021 that data belonging to more than 40,000 of its patients was among the information accessed and/or exfiltrated during the CaptureRX hack. The notice said the provider had negotiated with the attackers for the release of the data, with confirmation that the stolen information had been removed.

For several months, CaptureRX maintained a running list of affected organizations on its website, which included MetroHealth and Walmart. In total, more than 2.42 million patients linked to dozens of health entities were involved.

Walmart has also been named a defendant in the ongoing lawsuit. The proposed settlement will consolidate 10 ongoing class action lawsuits that allege “willful and reckless violations on the part of the seller.” [patients’] privacy rights” led to the initial hack and subsequent data exfiltration.

The lawsuit claims that CaptureRX failed to properly protect patient data and failed to take necessary precautions to protect PHI from unauthorized disclosure. The provider is also accused of mishandling and failing to protect data, which was “easily capable of being copied by thieves and not maintained in accordance with basic security protocols”.

Although CaptureRX has not admitted any wrongdoing, the proposed monetary settlement will provide each breach victim who files a claim with a cash payment of $25. Patients will not need to provide proof of identity theft caused by the incident. California patients are entitled to another payment of $75, under the state’s privacy law.

If approved, the provider will have 90 days to improve and implement a comprehensive IT security program to better protect patient data. The regulation requires that the security program include administrative, technical and physical safeguards appropriate to the size of its operations.

This is the second healthcare data breach settlement announced in less than a week, with decidedly different results. Inmediata Health Group recently reached a $1.13 million settlement for its class action lawsuit with the 1.5 million patients affected by a cyber incident and shipping error in 2019.

Each breach victim who files a claim is entitled to reimbursement of up to $2,500 for out-of-pocket costs, which must be directly related to recovery efforts caused by the breached information. Breach victims are also eligible to receive up to $15 per hour for up to three hours, for time lost in recovery efforts.

However, the regulations do not require any safety improvements. As these lawsuits and subsequent settlements become normal, there is a growing need for more clarity and standards.

Terri S. Tomasini