The CaptureRx Supply Chain Attack: What Happened and the Importance of Vendor Risk Management (VRM)

Blog post Team CENTRL 2021-07-19


In May 2021, CaptureRx announced that malicious actors had targeted its systems with a ransomware attack. The Texas-based healthcare administrative service company provides 340B solutions to safety net providers and pharmacies. The attack impacted many different healthcare organizations across the US, resulting in patients’ data being stolen.

The HIPPA Journal reported that the attackers stole crucial data of tens of thousands of patients from five healthcare establishments connected to CaptureRx. How the incident unfolded indicates that it was a supply chain attack whereby the malicious actors exploited the flaws in CaptureRx’s cyber defenses, stealing data that the company had obtained from healthcare providers.

Since CaptureRx operates as a vendor, the ransomware attack affected many of its client organizations, including the following:

  • Faxton St. Luke’s Healthcare in New York
  • Gifford Health Care in Vermont
  • Brownsville Community Health Center in Texas
  • Lourdes Hospital in New York
  • Thrifty Drug Stores

How the Attack Unfolded

Investigation of the incident found that the hackers accessed and stole patient files from CaptureRx on Feb. 6, 2021. The stolen patient data included first and last names, medical record numbers, prescription information, and date of births.

Between February 19 and March 19, the company started assessing the stolen files to determine the extent and severity of the attack and how it might impact the victims and its client healthcare organizations.

CaptureRx’s case indicates that hackers exploit vulnerabilities in the supply chain of their targets and gain side-door access to their data. It is worth noting another recent attack on a radiation treatment software provider affected around 170 healthcare service providers and systems across the US.

CaptureRx helps US hospitals manage the 340B drug program designed to provide low-cost prescription drugs to patients. Meanwhile, the company has taken several measures to prevent further damage, including changing all user passwords and launching a comprehensive investigation into the incident. It has also jacked up its cyber defense, started cybersecurity training for its employees, and initiated a review of its information security policies and procedures.

CaptureRx issued a statement, saying the company started investigating its systems right after detecting abnormal activities surrounding some of its digital files. The company also notified its partner organizations and clients about the breach by April 7. It worked with the healthcare providers to inform the victims about their stolen information. Individuals affected by the breach are advised to keep an eye on their accounts for unusual activities.

Healthcare service providers are specifically attractive targets for malicious actors and supply chain attack gangs. Hackers are fully aware that these organizations are lucrative as they house a treasure trove of patient information, including crucial details like SSNs and private patient data. After accessing the precious data, the attackers either sell it on the dark web or hold it for ransom.

The CaptureRx data breach underscores the importance of vendor risk management for every organization, particularly healthcare setups.

But how can VRM ensure your company doesn’t experience a supply chain breach? Let’s have a look.

How Can a Robust VRM Process Protect Your Organization from Similar Attacks

Third-party vendors are a vital part of your company’s growth and profitability. But as you can learn from the case of CaptureRx, your vendors can expose your organizations to cybersecurity risks. And when a supply chain breach happens, it could not only be costly in monetary terms but also tarnish your business reputation and land you in legal and regulatory problems. That’s where vendor risk management (VRM) has your back.

VRM is a crucial part of cybersecurity. It helps you identify, monitor, assess, and mitigate risks emanating from your supply chain ecosystem rather than just sticking to incident response. These measures help your business grow and thrive while meeting regulatory requirements.

A vigorous VRM program is critical for companies in regulated sectors, such as healthcare providers and financial institutions. These organizations have excessive reliance on third-party vendors to provide vital services to their customers.

And given the intensified and strict regulatory requirements around supply chain security, every business needs to have reliable VRM processes to monitor and manage vendor risks.

Vendor Risk Management Best Practices

A good vendor risk management program and processes will significantly cut the risk and severity of data breaches and other attacks coming from loopholes in your third parties.

Here’re some important tips for implementing a robust VRM program and process in your organization:

1. Risk Assessment: Carry out a risk assessment of your potential vendors during the vendor selection and onboarding process and all through your relationship with them. You can start by making categories of your vendors and create their risk profiles. Doing so will help you identify the vendors that pose the highest risk to your organization based on the data, networks, and systems they will access.

2. Vendor Contracts: Define the risks in your contracts and clearly lay out conditions for supply chain security. Also, define the metrics for ending the relationship.

3. Clear Communication: Make sure you have a reliable line of communication all through your supply chain. This can help reduce the risks and respond timely, besides weakening the impact of an attack.

4. Get the Top Management Onboard: The top management and board of directors must be aware of changes in vendors, the risks they present to your business, your existing vendor security protocols, and measures required to improve supply chain security.

5. Adopt VRM Technology: The traditional, manual methods are no longer useful in managing vendor risks. It is crucial to modernize your VRM program and use advanced technologies like VRM software to cope with advanced, complex, and evolving supply chain risks.

How CENTRL’s Vendor360 Can Help?

Vendor360 is a cutting-edge platform designed to supercharge your third-party due diligence and vendor risk management process. From risk assessment to vendor onboarding and issue management to remediation, Vendor360 has you covered.

Manage all of your vendors from a single dashboard with a centralized vendor database. Vendor360 allows you to automate many areas of the VRM process, including risk identification, risk monitoring, risk assessment, onsite audit, and more.

Explore more exciting and powerful features of Vendor360 or experience how the software works with a LIVE DEMO.

Similar resources

More resources