CaptureRx, a health IT company that helps hospitals manage their 340B drug discount programs, is being accused of failing to properly protect health information stored on its network after a ransomware attack exposed at least 2,400,000 patients' information, according to court documents cited by Bloomberg Law.
San Antonio-based CaptureRx discovered unusual activity on or around Feb. 6 in some files on its IT systems. Compromised files contained patient records with protected health information including names, birthdates and prescription details.
Michelle Rodgers, a patient at ARcare in Augusta, Ark., is the plaintiff in the lawsuit, which was filed July 21 in the U.S. District Court for the Western District of Texas. The suit claims on behalf of Ms. Rodgers and other members of the class that CaptureRx was negligent in protecting their PHI. The plaintiffs are seeking monetary damages and injunctive and declaratory relief, according to the court documents.
"CaptureRx is responsible for allowing this Data Breach through its failure to implement and maintain reasonable safeguards and failure to comply with industry-standard data security practices as well as federal and state laws and regulations governing data security, including security of PHI," the lawsuit alleges.
A growing list of hospitals and health systems have reported breaches stemming from the incident. Some of the affected providers include NYC Health + Hospitals, Ascension St. Joseph Hospital, Bayhealth and UPMC Cole. The Maine Attorney General's office reported the breach as affecting 2,420,141 individuals.