Cyberattacks Affect BrightSpring Health Services, PharMerica, & Sarah D. Culbertson Memorial Hospital
Money Message Ransomware Group Leaks BrightSpring Health Services & PharMerica Data
The Money Message ransomware group has recently listed the Kentucky-based pharmacy network, PharMerica, and its parent company, BrightSpring Health Services, on its data leak site and claims to have stolen more than 2 million records in an attack in March 2023. The stolen data includes patient names, birth dates, and Social Security numbers.
BrightSpring Health Services has confirmed that it is investigating a cybersecurity incident and has engaged third-party cybersecurity experts to assist with the investigation. BrightSpring said the attack did not affect its operations. The cyberattack was detected on March 14, 2023, and the investigation confirmed unauthorized individual had access to its network from March 12 to March 13. The review of files confirmed that names, Social Security numbers, and in some cases, addresses and dates of birth were compromised. Credit monitoring services have been offered to affected individuals and the breach was recently reported to the Maine attorney general as affecting 535,203 individuals.
Sarah D. Culbertson Memorial Hospital Confirms Systems Restored After Cyberattack
Sarah D. Culbertson Memorial Hospital in Rushville, IL, has confirmed that it has fully restored its IT systems following a March 2023 cyberattack. The hospital experienced disruption to its network on March 30, 2023. Systems were shut down to contain the attack and third-party cybersecurity experts were engaged to investigate the attack and determine the extent to which patient data was involved.
While access to the majority of its IT systems was prevented during the attack and breach response, the hospital confirmed that its ED services have been operational throughout and patient care was unaffected. Notifications will be issued to affected individuals if patient data is determined to have been compromised in the attack, although at present it is unclear how many individuals have been affected. The breach has been reported to the HHS’ Office for Civil Rights as affecting 501 individuals – a common placeholder used to meet the breach reporting requirements until the number of affected individuals has been confirmed.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Mailing Error Affects More than 15,000 St. Luke’s Health System Patients
St. Luke’s Health System has notified 15,246 patients about an accidental disclosure of some of their protected health information. A technical error with a mailing resulted in letters being sent to incorrect mailing addresses. The letters that were sent to incorrect patients included the guarantor’s name, guarantor number, patient’s name, date of service, encounter-specific account number, outstanding balance, and balance status. St. Luke’s Health System said the accounts were not in collections and are not accountable for the balances.
The error was identified and corrected, and additional safeguards have now been implemented to identify similar errors before letters are mailed. As a precaution against misuse of data, the accounts of affected individuals have been reset to provide additional time to resolve balances, and affected individuals have been offered complimentary identity theft protection services for 12 months.
