Almost 6 Million Individuals Affected by PharMerica Data Breach
In late March 2023, the Money Message ransomware group announced it had breached the systems of PharMerica and its parent company, BrightSpring Health Services, and added both to its data leak site. The group claimed to have exfiltrated databases containing 4.7 terabytes of data which included the records of more than 2 million individuals. PharMerica has now confirmed the extent of the data breach.
PharMerica is one of the largest providers of pharmacy services in the United States, operating more than 2,500 facilities and over 3,100 pharmacy and healthcare programs. PharMerica and BrightSpring have now completed their investigation and have confirmed that there was unauthorized accessing of sensitive patient information and reported the data breach to the Maine Attorney General and HHS’ Office for Civil Rights as affecting 5,815,591 individuals. That makes it the largest healthcare data breach to be reported by a single HIPAA-covered entity so far in 2023.
PharMerica explained in its notification letters that suspicious activity was detected within its computer network on March 14, 2023. The network was isolated, and an investigation was conducted to determine the nature and scope of the intrusion. Assisted by third-party cybersecurity experts, PharMerica determined that “an unknown third party” accessed its computer systems between March 12 and March 13, 2023, and that personal information may have been obtained from its systems during that time frame.
By March 21, 2023, PharMerica had determined that the compromised information included names, addresses, birth dates, Social Security numbers, medication information, and health insurance information. PharMerica made no mention of a ransomware attack nor any publication of data online but did state that “we have no reason to believe that anyone’s information has been misused for the purpose of committing fraud or identity theft.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Affected individuals have been notified and offered complimentary credit monitoring and identity theft protection services for 12 months. Patients and executors of deceased patients’ estates have been advised to contact any one of the three national credit reporting agencies and to ensure the individual’s credit file is marked as ‘deceased – do not issue credit’, or for the credit reporting agency to make a notation on the individual’s credit file to notify an individual (such as a family member/next of kin) and/or law enforcement if an application is made for credit. PharMerica says it has implemented additional technical cybersecurity safeguards to prevent similar incidents in the future.
