Data breach exposes Adirondack Health patient information

Adirondack Medical Center in Saranac Lake (Photo provided by Adirondack Health)

SARANAC LAKE — The personal information of more than 800 patients of Adirondack Health may have been exposed in a contract company’s data breach three-and-a-half months ago, the health care network announced late Thursday.

The patient information that was exposed included certain patients’ first names, last names, dates of birth, prescription information and medical record numbers, according to a news release from Adirondack Health, which operates Saranac Lake’s Adirondack Medical Center, the Lake Placid Health and Medical Fitness Center and the Mercy Living Center in Tupper Lake.

The information was exposed when CaptureRx, a third-party vendor that administers the federal 340B prescription drug program at Adirondack Health and several other hospitals across the country, experienced a data breach on Feb. 6. The breach was a ransomware attack, according to Becker’s Hospital Review, a health care trade publication. Ransomeware attacks by hackers have become increasingly common in recent months.

CaptureRx is expected to notify every patient whose information may have been exposed via mail. So far, the company isn’t aware of any “actual or attempted misuse of patient information as a result” of the data breach, according to Adirondack Health.

Unusual activity

CaptureRx became aware of “unusual activity involving certain files on its systems” earlier this year and reviewed all of the relevant files to determine if any of them contained sensitive information,” according to a news release from Adirondack Health. More than one month after the breach — sometime around March 19 — the company confirmed that the personal information of 877 Adirondack Health patients was among files that were accessed without authorization.

CaptureRx alerted Adirondack Health about the activity more than a week later, on March 30, according to a news release from Adirondack Health.

The health care network noted in its news release — sent to media outlets nearly two months after confirmation — that it was “providing patients with this notice to ensure that all those affected are aware of the incident.” Adirondack Health is no longer doing business with CaptureRx, but the network is investigating and continues to communicate with the company “to ensure measures are put in place by the vendor to protect against any further breaches,” according to its news release.

Adirondack Health isn’t required by state law to notify patients, but CaptureRx is.

CaptureRx is encouraging all patients whose information may have been exposed to “remain vigilant, review their account statements and explanation of benefits forms, place ‘fraud alerts’ or ‘credit freezes’ on their credit files, and monitor their free credit reports for suspicious activity and errors.”

People with questions about this data breach are being asked to call CaptureRx’s hotline at 855-654-0919 between the hours of 9 a.m. and 5 p.m. Monday through Friday.

Past breaches

This isn’t the first time local patient information has been exposed in a data breach. In 2019, the information of 25,000 hospital patients in the North Country region was exposed after an Adirondacks Accountable Care Organization email was hacked. The information of Adirondack Health patients was also exposed in that data breach.

In 2020, the University of Vermont Health Network — which includes Elizabethtown Community Hospital, Alice Hyde Medical Center in Malone and Champlain Valley Physicians Hospital in Plattsburgh — was the victim of a ransomware cyberattack. Canton-Potsdam Hospital, Gouverneur Hospital and Massena Hospital were also hit by a ransomware attack last year. Watertown’s Samaritan Medical Center was the victim of a malware attack last year.


Today's breaking news and more in your inbox

I'm interested in (please check all that apply)
Are you a paying subscriber to the newspaper? *

Starting at $4.75/week.

Subscribe Today