NYC Health + Hospitals, began to notify over 43,000 patients about the disclosure of some of their protected health information (PHI), which occurred on or around February 6, 2021. NYC Health + Hospitals discovered the disclosure on May 14, 2021. The incident involved the exfiltration of patient information from a NYC Health + Hospitals former third-party vendor, CaptureRx, by a Threat Actor. The PHI included patients’ names, dates of birth, and prescription information. No financial information or other identifiers were exfiltrated by the Threat Actor.
There is no evidence to suggest that the PHI has been misused in any manner. On February 11, 2021, CaptureRx engaged a forensic firm to evaluate its systems for vulnerabilities and to monitor the dark web and public websites for the presence of the PHI. The forensic firm found no evidence of the PHI on either the dark web or public websites. In addition, the Threat Actor returned the PHI to CaptureRx, and provided evidence that it had destroyed the PHI.
CaptureRx has also provided information on their website regarding the incident. Affected individuals are invited to visit the CaptureRx website at https://www.capturerx.com/data-incident/ or call CaptureRx toll free 1-855-654-0919, from 9:00 am to 5:00 pm (Eastern Time) Monday through Friday, with any questions or related concerns.
Consistent with federal regulatory requirements, NYC Health + Hospitals has notified the Office for Civil Rights (OCR), the federal oversight agency for unauthorized disclosures of PHI.