Background:
Following the data breach incident in February 2021, the Office for Civil Rights (OCR) engaged with us to provide guidance and assess our compliance with the Privacy, Security, and Breach Notification Rules. We are pleased to share the following updates regarding their involvement:

On April 20, 2023, OCR provided technical assistance regarding the applicable provisions of the aforementioned rules. To further assist with our HIPAA compliance, OCR included the following links to additional guidance:

Based on the information and evidence obtained during their investigation, OCR determined not to investigate this matter further and closed their investigation. Their determination applies only to the issues identified in the breach report and which were reviewed by them.

Returning to the specifics of the incident, in February 2021, there was a data breach on our testing server in which client information was compromised.

There have been misperceptions in the public about what the information was and how it was compromised.

This submission is intended to clear up some of those misperceptions.

– The data breach was on an AWS testing server. Cumulus was never breached or compromised and has never been breached or compromised.

– No information that was compromised ever became available to the public. There were no reports of financial damages to anyone affected. Cybersecurity investigators were hired and performed a search of the dark web for several months to make sure the data was never uploaded.

– Data elements such as phone numbers, social security numbers, and credit card numbers were not involved as CaptureRx does not collect or store this information. The only elements compromised were first name, last name, date of birth, and customer prescription numbers. In rare cases, drug name and medical record number.

– CaptureRx responded immediately to the incident and acted according to the requirements set forth by the U.S. Department of Health & Human Services (HHS).

– We could only communicate with our covered entities once we clearly understood the data and actual patient records that were breached and the subsequent count of those records.

– CaptureRx notified all Business Associates (Covered Entities and Pharmacies) within the timeframe provided in HHS guidelines. However, the timeframe varies by state, not just by HHS rules (HHS rules can be found here: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html).

– CaptureRx gave each Business Associate the option to notify HHS and any other regulatory agencies on their behalf. This notification was an extra service provided by CaptureRx, something other than what was required.

– CaptureRx offered each Business Associate the service of notifying all patients on each entity or pharmacy’s behalf, saving those the time and expense of providing the legal notification. The majority of Business Associates accepted this service.

– CaptureRx also provided a call center to answer questions for affected patients to whom letter notifications were sent. Although this was optional for CaptureRx to do, we provided it as a courtesy. We sent out multiple waves of letters, and the call center remained open for 90 days for each wave. There were seven total waves of letters.

At the time of the data breach, we had already obtained our SOC 2 Type I certification and were well on our way to receiving our SOC 2 Type II certification. The necessary security elements were already in place before the breach occurred, and the incident did not prompt any changes to achieve the certification. Additionally, CaptureRx security adheres to rigorous industry standards, including HIPAA, allowing CaptureRx to maintain the industry-leading SOC 2 Type II certification, demonstrating our ongoing commitment to maintaining the highest security and privacy controls for our client’s data.

An IBM report states, “for 83% of companies, it’s not if a data breach will happen, but when.” https://www.ibm.com/reports/data-breach. Many breaches have occurred within the last two years in our industry alone.
This HHS report displays 907 of them since 2020.
(https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf)

The data breach highlighted the risks associated with our operating environment. However, we strive to have the marketplace’s most secure 340B software thanks to our continued security enhancements.