VectraRx Mail Pharmacy Services Notifies 109K Individuals About Data Breach
Cyberattacks and data breaches have recently been announced by VectraRx Mail Pharmacy Services, St. Andrew’s Resources for Seniors System, Jewish Child Care Association of New York, and the Columbus Division of Fire.
VectraRx Mail Pharmacy Services
VectraRx Mail Pharmacy Services, a New York-based mail order pharmacy, has suffered a major data breach involving the protected health information of 109,383 individuals. On February 6, 2025, VetraRx disclosed details of the incident, stating that unusual activity was identified in its computer systems on December 13, 2025, and a third-party cybersecurity firm was engaged to investigate the cause of the activity.
The investigation confirmed that an unauthorized actor had access to its network and may have viewed or acquired certain data. VetraRx did not disclose in the breach notice when its network was first breached or the duration of the unauthorized access. The review of the exposed data was completed on January 7, 2025, when it was confirmed that the exposed electronic protected health information (ePHI) included names, dates of birth, Rx numbers, Rx information, dates of service, and Social Security numbers. Individual notification letters have been mailed to the affected individuals who have been offered 12 to 24 months of complimentary credit monitoring and identity theft restoration services.
St. Andrew’s Resources for Seniors System
St. Andrew’s Resources for Seniors System in Creve Coeur, Missouri, a non-profit provider of assisted living, in-home care, and rehabilitation services, has notified 4,434 individuals about a February 2024 security incident involving unauthorized access to employee email accounts. Suspicious activity was identified in the email system on or around February 8, 2024. The forensic investigation confirmed unauthorized access to several employee email accounts, some of which contained sensitive data. The review of the compromised email accounts was completed on January 6, 2025.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The types of data exposed in the incident vary from individual to individual and may include name in combination with address, Social Security number, driver’s license number, state identification number, passport number, military identification number, financial account information, payment card information, medical information, and/or health insurance information. Individual notification letters were recently mailed but make no mention of any credit monitoring or identity theft protection services. The affected individuals have been advised to remain vigilant against incidents of identity theft and fraud by reviewing their account statements and credit reports for unauthorized or suspicious activity.
Jewish Child Care Association of New York
Jewish Child Care Association of New York is investigating a security incident first identified on August 1, 2024. Suspicious activity was detected in its computer environment and the forensic investigation confirmed that an unauthorized third party had access to its network between July 21, 2024, and August 1, 2024, and viewed or copied certain information from its systems.
As the investigation progressed it was revealed that the compromised parts of its systems contained information such as names, contact information, Social Security numbers, patient identification numbers, medical record numbers, medical information, treatment information, diagnosis information, health insurance information, driver’s license/stated identification numbers, financial account information, and dates of birth.
The number of affected individuals has yet to be confirmed, with the incident reported to the HHS’ Office for Civil Rights using an estimate of at least 501 individuals. The total will be updated when the investigation concludes. Jewish Child Care Association of New York will be mailing notifications to the affected individuals and reviewing its data security policies and procedures to prevent similar incidents in the future.
Columbus Division of Fire
The City of Columbus in Ohio was the target of a cyberattack by a foreign actor that sought to disrupt critical IT infrastructure in the city. The cyberattack was quickly identified by the city’s Department of Information Technology, which immediately severed Internet connectivity and moved to contain the attack and prevent unauthorized access to sensitive personal information.
Despite those efforts, the hackers managed to exfiltrate sensitive data and have since published some of that data on the dark web. Data held by the Columbus Division of Fire was involved, including the protected health information of 736 individuals. The city is offering credit monitoring and identity theft protection services to all current and prior City of Columbus employees, and other individuals whose data was compromised in the incident.
