Over 5,000 patients of a number of Washington County healthcare organizations have had personal information possibly compromised by a data breach that occurred at CaptureRx in February. The HIPAA Journal describes it as a ransomeware data breach. CaptureRx provides a range of pharmacy benefits management services to healthcare organizations and companies around the country.
     Information reported to the Maine Attorney General's Office by CaptureRx suggests that almost 2 million individuals around the nation had personal information accessed through the breach. CaptureRx has listed a significant number of healthcare organizations, including Rite Aid Corporation, with clients that were affected, and more are being added to the list at www.capturerx.com/data incident provider list. Affected patients should have received a letter detailing the breach and steps to take to keep their personal information from being used fraudulently.
     Local healthcare organizations that were notified of patient information affected include: Calais Regional Hospital, with about 2,700 patients affected; Eastport Health Care Inc., with 667 patients affected; Regional Medical Center at Lubec with 384 patients affected; and St. Croix Regional Family Health Center and East Grand Health Center with 1,850 patients affected. Down East Community Hospital and Harrington Family Health Center patients were not affected, as neither organization has used Capture Rx for a number of years.
     The data breach happened at CaptureRx, not within the systems of the local healthcare organizations. In its notification to healthcare organizations, CaptureRx states that it "became aware of unusual activity involving certain of its electronic files." Following an investigation, the company "determined that certain files were accessed and acquired on February 6, 2021, without authorization" and that "the relevant files contained first name, last name, date of birth, and prescription information." HIPAA Journal also notes that medical record numbers belonging to a limited number of patients were "exposed and acquired."
     Between March 30 and April 7, CaptureRx began the process of notifying healthcare providers of the incident. Since then, it has worked with healthcare providers to notify the affected individuals whose information was identified as possibly compromised.

Steps to take to protect against fraud
     CaptureRx encourages individuals to remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits forms, and to monitor free credit reports for suspicious activity and to detect errors. To order a free credit report, visit or call toll free 877 322 8228.
     Consumers have the right to place an initial or extended fraud alert on a credit file at no cost. Credit files and reports are used for securing loans, mortgages, credit cards and more. An initial fraud alert is for one year. If you are the victim of identity theft, you are entitled to an extended fraud alert, which lasts for seven years. An alternative to a fraud alert is a credit freeze on a credit report, which prohibits a credit bureau from releasing information in the credit report without the consumer's express authorization. Federal law mandates that you cannot be charged to place or lift a credit freeze.
     To place a fraud alert or credit freeze, contact any of the three credit reporting agencies: Equifax at 888 298 0045 or www.equifax.com; Experian at 888 397 3742 or www.experian.com; or TransUnion at 833 395 6938 or www.transunion.com.
     For more information, CaptureRx has established a dedicated toll free assistance line at 855 654 0919 that is available Monday through Friday from 9 a.m. to 5 p.m. for any questions individuals may have.