Lawmakers are only now learning that hackers breached a congressional medical contractor more than two months ago.
RXNT, a healthcare software company used by the Office of the Attending Physician (OAP) to manage prescription services for Congress, was breached on March 1 and March 3. Hackers obtained copies of patient data stored within the platform. The contractor notified the government on the final day allowed under federal health privacy law.
The compromised data includes names, birth dates, home addresses, prescription information, physician names, and pharmacy information. The OAP confirmed that broader medical records, Social Security numbers, insurance information, and financial data were not affected.
Under HIPAA, business associates such as RXNT have 60 days from discovering a breach to notify affected covered entities. RXNT used the full window, notifying the OAP on day 60. According to two people familiar with the matter, that delay may have set back the OAP’s own assessment of how many Capitol Hill patients were affected.
The data review itself took more than six weeks, from March 3 to April 17, before RXNT formally confirmed what had been taken. Client notifications did not go out until May 1, at which point affected organizations were given until May 15 to register and authorize RXNT to manage downstream reporting obligations, including filings with HHS’s Office for Civil Rights, state attorneys general, and affected individuals.
Attending physician Brian Monahan has been personally contacting affected lawmakers and staff. The OAP’s notice to affected patients offered this reassurance:
“The OAP only provides the minimum information required to process prescription services.”
The OAP’s notice explained that RXNT’s software is used to “securely transmit prescription information to pharmacies for fulfillment.”
Broader medical records, including detailed health histories, “remain secured within the walls of Congress” and are “not cloud based,” the notice stated
No attribution for the breach has been made public. It is not known whether the intrusion was carried out by a domestic or foreign actor, or where the data may ultimately end up.
The total number of affected individuals has not been disclosed. Under HIPAA’s Breach Notification Rule, covered entities have up to 60 days after being notified by their business associate to issue individual notifications, meaning the full scope of this breach may remain unknown for some time.
CLICK HERE FOR FULL VERSION OF THIS STORY