CaptureRx US Healthcare Co. Attack Exposes Patient PHI

BACKGROUND:

An attack on CaptureRX, which helps healthcare providers administer 340B programs (which let those serving vulnerable patient populations purchase outpatient drugs at discounted prices), has exposed patients’ names, date of birth, and prescription information.  Cybersecurity experts offer perspective.

Experts Comments

May 11, 2021
Dr. Chenxi Wang
General Partner
Rain Capital

For healthcare providers that have a large amount of patient data that can fetch a handsome price in the underground market, ransomware represents a significant risk. To protect infrastructure against ransomware, organizations need to establish a rigorous vulnerability discovery and patching cadence, train users/employees to be extra vigilant against phishing, and verify security controls are working properly.

May 11, 2021
Garret F. Grajek
CEO
YouAttest

All PHI, Personal Health Care information falls under HIPAA guidance. There are stated rules of practice for enterprises who handle PHI to follow. When a breach occurs and PHI is determined to be exfiltrated to non-permissioned users, an investigation can and usually does occur - conducted by the OCR, the U.S. Government's Office of Civil Rights. They will determine if the proper practices of data governance have been followed.  Often, they determine that these practices have not been followed

.....Read More

All PHI, Personal Health Care information falls under HIPAA guidance. There are stated rules of practice for enterprises who handle PHI to follow. When a breach occurs and PHI is determined to be exfiltrated to non-permissioned users, an investigation can and usually does occur - conducted by the OCR, the U.S. Government's Office of Civil Rights. They will determine if the proper practices of data governance have been followed.  Often, they determine that these practices have not been followed and fines are put in place, such as when Athens Orthopedic was fined $1.5M in 2020 and Lifespan Health System fined $1.04M in 2020.

 

Data Governance starts with the HIPAA-prescribed regular access reviews, examining each reviewer who has access to data and applications, what data access privileges have changed, and who approved such changes in the last audit period.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.