Getty Images

Cyberattack Exposes Protected Health Information of 43K New Yorkers

A cyberattack exposed the PHI of over 43,000 New Yorkers.

Over 43,000 patients are being notified after a cyberattack on NYC Health + Hospitals exposed private data, which included Protected Health Information (PHI).  

NYC Health + Hospitals, the largest public health care system in the United States, published a notice of the cyberattack on June 30th that exposed protected health information, according to its statement

The cyberattack occurred in February, according to the healthcare group.  

This attack is part of the larger CaptureRx ransomware breach, which impacted over 200 other healthcare organizations across the country. A full list of facilities impacted by the CaptureRx breach can be found here

 NYC Health + Hospitals, which provides services to over 1 million patients at 70 locations, “discovered the disclosure on May 14, 2021.” 

“The incident involved the exfiltration of patient information from a NYC Health + Hospitals former third-party vendor, CaptureRx, by a Threat Actor,” the notice stated.  

“The PHI included patients’ names, dates of birth, and prescription information. No financial information or other identifiers were exfiltrated by the Threat Actor.” 

NYC Health + Hospitals said there is no evidence that PHI has been misused. 

CaptureRx is a Texas-based company that assists hospitals with managing their 340B drug program, which helps patients get prescription drugs at a lower cost.  

“CaptureRx engaged a forensic firm to evaluate its systems for vulnerabilities and to monitor the dark web and public websites for the presence of the PHI,” the statement noted. “The forensic firm found no evidence of the PHI on either the dark web or public websites.  

“In addition, the Threat Actor returned the PHI to CaptureRx, and provided evidence that it had destroyed the PHI.” 

Patients with questions or concerns can visit the CaptureRx website at https://www.capturerx.com/data-incident/ or call 1-855-654-0919, from 9:00 am to 5:00 pm EST, Monday through Friday.  

Editor’s Note: Jill McKeon contributed to this report.  

Next Steps

Dig Deeper on Cybersecurity strategies