Digital pharmacy Capsule reports hack affecting 27,000 users

Capsule, an app-based pharmacy that delivers medications to patients, has reported a network server breach that affected more than 27,000 people.

The Manhattan startup said the attack was likely an instance of “password spraying,” the term for when an attacker uses login information from other companies’ data breaches to attempt to break into users’ accounts.

A third-party cybersecurity firm concluded the breach was not a result of any weaknesses in Capsule’s security or data infrastructure, a company spokeswoman said. She did not name the firm that conducted the investigation.

Capsule disclosed the data breach Friday to the Department of Health and Human Services Office for Civil Rights, according to its website. Federal law requires the agency secretary to disclose breaches of unsecured protected health information affecting 500 or more individuals.

Download Modern Healthcare’s app to stay informed when industry news breaks.

The company did not respond to questions about when the breach happened and what personal information was potentially compromised.

Capsule has raised at least $570 million since it was founded in 2015. The startup reached unicorn status in 2021, after it closed a Series D round that its CEO said valued the company at more than $1 billion.

It has brick-and-mortar pharmacies in Atlanta; Austin, Texas; Boston; Chicago; Denver; Houston; Los Angeles; Nashville, Tennessee; Philadelphia; Tampa, Florida; Twin Cities, Minnesota; and Washington, D.C.

This story first appeared in our sister publication, Crain's New York Business.