Online Pharmacy Notifies 105,000 Patients About Cyberattack and Potential Theft of PHI

The Auburndale, FL-based digital pharmacy and health app developer Ravkoo has started notifying 105,000 patients that some of their sensitive personal information has been exposed and potentially obtained by an unauthorized individual.

Ravkoo hosts its online prescription portal on Amazon Web Services (AWS). The portal was targeted in a cyberattack that was detected on September 27, 2021. Upon discovery of the security breach, steps were immediately taken to secure the portal and third-party cybersecurity experts were engaged to assist with the forensic investigation, mitigation, restoration, and remediation efforts.

The investigation confirmed sensitive patient data had been exposed and may have been compromised, including names, addresses, phone numbers, certain prescription information, and limited medical data. Ravkoo said the impacted portal did not contain any Social Security numbers, which are not maintained in the affected portal. The forensic investigation did not uncover any evidence that indicated information contained within the portal has been or will be misused.

Ravkoo has reported the cyberattack to the Federal Bureau of Investigation (FBI) and is assisting with the investigation. Ravkoo has also been working with forensics experts to review the security of its AWS environment. Steps are now being taken to improve security to prevent further data breaches in the future.

Please see the HIPAA Journal Privacy Policy

The data breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting up to 105,000 individuals. Affected individuals are being offered complimentary access to Kroll’s online credit monitoring service as a precaution, which includes access to resolution services in the event of identity theft.

Micah Lee at The Intercept said in a September 28, 2021 tweet that a hacker had claimed responsibility for the attack on Ravkoo and said the patient portal was “hilariously easy” to hack and involved the use of a hidden admin portal that any user could log in to and request patient data.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.