A sign is posted in front of a Walmart store on November 16, 2021 in American Canyon, California. Walmart was named as a defendant in an ongoing lawsuit involving the CaptureRX breach. (Photo by Justin Sullivan/Getty Images)

NEC Networks, d/b/a CaptureRX, has reached a settlement with the 2.42 million patients whose data was stolen prior to a ransomware attack on the healthcare business associate in early 2021. CaptureRX provides health IT services to a range of provider organizations.

If approved, the settlement would require CaptureRX to pay the breach victims a total of $4.75 million. Notably, the company’s CEO issued a statement as part of the proposed settlement that states if the arrangement is not approved, “CaptureRX will strongly consider filing for bankruptcy.”

“CaptureRx has a wasting insurance policy related to this case. The insurer is making a substantial contribution to the settlement. But based on its policy limits – the amount covered is less than half of the total settlement,” explained CEO Chris Hotchkiss in the proposal.

The company is facing “demands for indemnity from numerous customers, that were also named as defendants in the class action cases, that have and continue to put severe financial strain on the company,” he continued. As a result, the company owners “are funding part of the settlement with their own money.”

The CaptureRX incident was the fourth largest healthcare data breach last year.

The initial notice was scant on details, such as when the incident was first discovered. Instead, CaptureRX began notifying 1.2 million patients in the spring of 2021 that an investigation concluded in February 2021, which found protected health information was stolen from their network ahead of a cyberattack.

The investigation confirmed the threat actors accessed patient data and exfiltrated it, which included patient names, dates of birth, prescription details. However, soon after the release of the CaptureRX notice, other providers issued their own breach notifications, NYC Health + Hospitals among them.

The hospital system discovered in May 2021 that the data belonging to more than 40,000 of its patients was among the information accessed and/or exfiltrated during the CaptureRX hack. The notice showed that the vendor negotiated with the attackers for the release of the data, with confirmation the stolen information was deleted.

For several months, CaptureRX kept a running list of impacted organization on its website, which included MetroHealth and Walmart. In total, more than 2.42 million patients tied to dozens of healthcare entities were involved. 

Walmart was also named as a defendant in the ongoing lawsuit. The proposed settlement will consolidate 10 ongoing class-action lawsuits that allege the vendor’s “willful and reckless violations of [patients’] privacy rights” led to the initial hack and subsequent data exfiltration.

The lawsuit claims CaptureRX failed to properly safeguard patient data and failed to take necessary precautions to protect PHI from unauthorized disclosure. The vendor is also accused of improperly handling and not protecting data, which was “readily able to be copied by thieves and not kept in accordance with basic security protocols.”

While CaptureRX has admitted no wrongdoing, the proposed monetary settlement will provide each breach victim who files a claim with one cash payment of $25. Patients will not need to provide evidence of identity theft caused by the incident. California patients are eligible for another $75 payment, as part of the state’s privacy law.

If approved, the vendor will have 90 days to enhance and implement a comprehensive IT security program to better protect patient data. The settlement requires the security program to include administrative, technical, and physical safeguards appropriate for the size of its operations.

It’s the second healthcare data breach settlement announced in less than a week, with staunchly different results. Inmediata Health Group recently reached a $1.13 million settlement for its class-action lawsuit with the 1.5 million patients impacted by a 2019 cyber incident and mailing error.

Each breach victim who files a claim is eligible for up to $2,500 in reimbursement for out-of-pocket expenses, which must be directly tied to recovery efforts brought on by the breached information. Breach victims are also eligible for receiving up to $15 an hour for up to three hours, for time lost on recovery efforts. 

However, the settlement makes no requirement for security improvements. As these lawsuits and subsequent settlements become par for the course, there’s an increasing need for greater clarity and standards.