CLEVELAND — A ransomware attack from early 2021 put personal medical information from patients at MetroHealth Medical Center and several other local pharmacies at risk.
CaptureRX first learned of a breach in its 340b drug pricing software in February, but patients may just be finding out now their data was involved. CaptureRX reports names, dates of birth, and prescription information was taken.
3News obtained a statement about the incident from MetroHealth on Friday morning. MetroHealth officials say CaptureRX took action once learning of the event by immediately changing all user passwords. There was no impact to the systems of MetroHealth or patient care.
“Moving forward, CaptureRx is taking a number of steps to harden its existing security procedures, including reviewing and enhancing information security policies and procedures where appropriate, hardening firewall rules and workforce force training is being implemented to reduce the likelihood of a similar incident,” according to MetroHealth’s statement.
Pharmacy customers at Discount Drug Mart, Giant Eagle, Rite Aid, Meijer and other providers could have also been exposed. CaptureRX has notified impacted patients along with guidance on what steps they can take to prevent misuse of their personal information.
If you did not receive a notification letter, but want to verify you were not affected, you can also call CaptureRx to verify you are not on the list. That hotline, 855-654-0919, is staffed Monday to Friday from 9 a.m. to 9 p.m. EST.
“Both CaptureRx and MetroHealth take this incident and the security of personal information very seriously,” MetroHealth officials said in their statement. “CaptureRx continues to explore ways to further enhance the security of its systems to better protect against future incidents of this kind.”
Additionally, MetroHealth provided the following timeline connected to the situation:
- Feb. 19, 2021: The investigation determined that certain files were accessed and acquired on February 6, 2021 without authorization. The root cause of the CaptureRx data security incident was an identified vulnerability with the build server hosted by a third-party, which was then exploited. This allowed the threat actor to gain credentials that allowed access to the server.
- On or around March 19, 2021: CaptureRx determined that the relevant files contained patient’s first name, last name, date of birth and prescription information. There was no impact to the systems of MetroHealth or patient care.
“Everything like that which is all the data you need to do identity theft,” said Tyler Hudak with Strongsville’s Trusted Sec. He runs the incident response team, which reacts to ransomware attacks locally every week. He says the pandemic has made things worse.
“With the increase in remote work over the last year, that has absolutely contributed to the number of attacks that are happening and the ease at which some of these attacks occur,” said Hudak. Home networks often aren't as secure, and workers aren’t as suspicious of phishing emails as we need to be.
The federal government is now stepping up, too. This week, the Justice Department announced it was able to trace and return part of the ransom Colonial Pipeline paid in May, in the attack which disrupted gas supply to the east coast.
The DOJ’s newly formed Ransomware and Digital Extortion Task Force is working with the US Attorney’s Office here in Cleveland.
“It taps into a lot of very experienced personnel who are very well equipped to respond to the threats, and try to identify where we as a country, as a government, can tighten up defenses,” said Acting U.S. Attorney Bridget Brennan.