Sav-Rx Data Breach Affects 2.8 Million Individuals
A&A Services, a Fremont, Nebraska-based provider of Medication Benefit Management solutions to health plans that does business as Sav-Rx, has been affected by a cyberattack that was detected on October 8, 2023. A&A Services has confirmed that the Sav-Rx data breach involved the HIPAA protected health information of 2,812,336 individuals.
A security breach was identified when there was an interruption to its computer network. Steps were taken to secure those systems and prevent further unauthorized access and third-party cybersecurity experts were engaged to contain the activity and investigate the cause of the disruption. Sav-Rx was able to restore its systems the following day with no material disruption to patient care, prescriptions continued to be shipped without delay, and since its adjudication system was unaffected, network pharmacy chains faced no disruption. The investigation revealed its systems were accessed by an unauthorized third party on October 3, 2024.
While the incident was remediated swiftly, the investigation revealed that the threat actor behind the attack was able to access non-clinical systems and exfiltrated files containing protected health information. Sav-Rx made no mention of any ransom demand; however, said, “in conjunction with third-party experts, we have confirmed that any data acquired from our IT system was destroyed and not further disseminated.” The statement suggests that a ransom demand was issued, and payment was made.
The review of the affected files revealed they contained protected health information related to the medication benefits management services that Sav-Rx provides to health plans. The affected individuals were either members of those health plans or current or former employees. Sav-Rx said its pharmacy systems were unaffected and not all health plan customers/participants had their data exposed/compromised in the incident.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In one of the most detailed breach notifications the HIPAA Journal has seen lately, Sav-Rx explained that the delay in issuing notifications. “We prioritized this technological investigation to be able to provide affected individuals with as much accurate information as possible. We received the results of that investigation on April 30, 2024, and promptly sent notifications to our health plan customers whose participant data was affected within 48 hours.” Sav-Rx offered to issue notifications on behalf of the affected health plan customers and has now mailed the notifications.
The information exposed in the incident included names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, eligibility data, and insurance identification numbers. Financial information was not compromised. The affected individuals have been offered complimentary credit monitoring and identity theft protection services.
Sav-Rx also explained in detail the steps that have been taken since the incident to harden security and prevent similar incidents in the future. Those measures include, “enhancing a number of features such as: 24/7 security operations center, Microsoft Defender anti-virus and firewall, multi-factor authentication, BitLocker, Zabbix, new firewall and switches, patching cycle implementation, network segmentation, Linux system hardening, enhanced geo-blocking, LAPS installation, SSL certification cycling, website/portal enhancements, and policy and procedure development.”
