Data breach at San Antonio health care technology firm CaptureRx sparks class-action lawsuits

That follows a similar complaint filed May 25 in federal court in Kansas City, Missouri, on behalf of Missouri residents. It also seeks more than $5 million in damages.

The Department of Health and Human Services’ Office of Civil Rights is investigating the breach. The agency’s website shows 1,656,569 people were affected.

A CaptureRx spokeswoman didn’t respond to a request for comment Friday.

CaptureRx acts as an administrator for hospitals, clinics and health centers participating in the 340B program, a government initiative requiring pharmaceutical companies to sell drugs at a discount to health care providers caring for under-served populations.

The San Antonio lawsuit also names Rite Aid, which contracts with CaptureRx to process pharmacy claims. Walmart also is a defendant in the Kansas City case.

CaptureRx disclosed last month that it learned of “unusual activity” in some of its electronic files in February.

The company determined the files were accessed without authorization. The files contained the names, dates of birth and prescription information for certain patients of healthcare providers that CaptureRx provides services for.

CaptureRx issued a May 5 statement on the data breach, though it didn’t disclose how many people were affected. It provided the notice on behalf of about 170 health care providers. It doesn’t appear that any of the providers are in San Antonio.

In a May 5 letter to Washington state’s attorney general, a Pennsylvania lawyer for CaptureRx said 124,175 Washington residents may have been affected by the security breach. The letter was attached to the San Antonio lawsuit.

The San Antonio complaint was brought by Daisy Trujillo of Merced County, California, located between San Jose and Fresno.

Trujillo is a longtime Rite Aid customer who received notice of the breach. Afterwards, she says in the suit, her cellphone was “inundated with spam” calls and her email was “flooded with spam emails.”

Trujillo’s suit says personal information obtained in the breach can be sold on the “dark web.”

“Drug manufacturers, medical device manufacturers, pharmacies, hospitals and other healthcare providers often purchase” personal identifiable information and personal health information “on the black market for the purpose of target marketing their products and services to the physical maladies of the data breach victims themselves,” the lawsuit alleges. “Insurance companies purchase and use wrongfully disclosed” personal health information “to adjust insureds’ medical insurance premiums.”

Sensitive health care data can sell for as much as $363 for each record, the suit adds, citing the Infosec Institute.

CaptureRx and Rite Aid are accused of failing to comply with the Health Insurance Portability and Accountability Act, which was enacted in 1996 to protect sensitive patient health information.

Trujillo seeks to represent a nationwide class of plaintiffs, as well as a separate subclass of California plaintiffs.

The judge overseeing the Kansas City case this week granted a motion keeping the identity of the plaintiff private. The motion for the order has been sealed. The plaintiff is only identified as D.W. of Lowry City, Missouri.

Both lawsuit’s causes of action include negligence, invasion of privacy and breach of implied contract.

Comments are closed.