Six million patients’ data feared stolen from PharMerica

PharMerica, one of the largest pharmacy service providers in the US, has revealed its IT systems were breached – and it’s feared the intruders stole personal and healthcare data belonging to more than 5.8 million past customers

The cyber heist happened around March 12, when “an unknown third party” gained access to computer systems and may well have grabbed patients’ info including names, dates of birth, Social Security numbers, medication lists and health insurance information, according to a notice on PharMerica’s website.

A sample breach notification letter [PDF] submitted to the Maine Attorney General is addressed to “Administrator/Executor of the Estate of” – meaning at least some of the sensitive information stolen in the breach belonged to people who are dead. This, of course, won’t stop cyber criminals from stealing their identities and using their names and personal identifiers to commit fraud.

PharMerica, which operates more than 180 long-term care and specialty pharmacies in 50 states, said it and parent company BrightSpring Health Services first spotted the suspicious network activity on March 14.

It’s unclear whether BrightSpring patient data was also compromised in the breach, or if the crooks only stole PharMerica’s files. Neither company immediately responded to The Register‘s questions about the incident, but we will update this story if and when we hear back from the organizations.

“Upon discovering the incident, PharMerica promptly began an internal investigation and engaged cybersecurity experts to investigate and secure its computer systems,” the notice said. 

“At this point, PharMerica is not aware of any fraud or identity theft to any individual as a result of this incident, but is nonetheless notifying potentially affected individuals to provide them with more information and resources.”

A ransomware gang called Money Message claimed responsibility for the intrusion, and added both PharMerica and BrightSpring to its leak site. 

The miscreants claimed to have two million PharMerica and BrightSpring Health records – including Social Security numbers from 400 databases. At the time, DataBreaches said it was able to validate four Social Security numbers (out of four attempts) as actual people. However, it could not determine if the stolen data was current.

More recently, TechCrunch reported that it had seen samples of the data that appear to be protected health information belonging to at least 100 patients. It included allergy information, Medicare numbers, and diagnoses that could be damaging to patients if leaked – such as details about alcohol, drug, and mental health-related illnesses.

Regardless, the lawyers are circling overhead, so we’d anticipate another class action lawsuit to be filed in the near future. 

And as extortionists increasingly target hospitals and other healthcare organizations entrusted with protecting very sensitive and private information, it’s probably a good idea for those in the medical field to stress test their IT systems, lock down protected data, run some tabletop exercises and otherwise ensure their cyber security is up to snuff. ®

READ MORE HERE