/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Supra_Et_Ultra_2023_7_25_94252.263_1440p_streamshot.png)
PharMerica and its parent company, BrightSpring Health Services, Inc. disclosed that it became aware of suspicious activity on its computer network on March 14 and that an internal investigation revealed that an unknown third party accessed computer systems from March 12–13 and may have obtained personal information.
PharMerica posted a statement on its website saying that its investigation into the network breach “identified a data population whose personal information and limited medical information — names, dates of birth, Social Security numbers, medication lists and health insurance information — was disclosed.”
In its May 12 letter to affected patients and the executors of the deceased patients’ estates, which includes a data breach notification filed with the state of Maine, the Louisville, Kentucky-based company recommended that the executors of the deceased patients file the deceased person’s Request a copy of the credit report and note “Deceased – Do Not Issue Credit” or request to be notified when credit is applied for.
Was it ransomware?
Databreaches.net has been following up on the breach since early April, claiming the publication had communicated with a new “Money Message” ransomware group, which presented evidence it extracted data with screencaps.
According to a story update, MoneyMessage claimed to have 2 million Formica and BrightSpring Health records, including Social Security numbers, from 400 databases. The group also reportedly said it would “publish this information in geometric progression every 48 hours,” which Databreaches.net said.
The group claims it has virtually shut down Pharmarica’s operations, but the company has not said as of today that its operations have been disrupted in Maine or in a sample letter filed on its website.
Drug companies and third party risks
The frequency of cyber attacks increases every year, but COVID-19 has created its own panic in the pharmaceutical industry.
A pandemic-era report from Black Kite says pharmaceutical companies are at high risk for extortion attacks because of the severity the shutdown of operations will exact on the public.
“An interruption in the manufacturing of life-saving drugs or treatments would be devastating for many. A cyberattack on a pharmaceutical company could mean life or death for consumers,” the researchers said.
“Imagine if a ransomware attack held a manufactured COVID-19 vaccine hostage or halted production of critical chemotherapy drugs,” Bob Malle, Black Kite’s chief security officer, said in the report’s announcement.
The PharMerica data breach could be the largest ever reported this year and could affect the largest number of individuals — and their descendants.
In February, Regal Medical Group in California reported a massive data breach related to a ransomware incident in December in which the provider affected more than 3.3 million patients, according to the US Department of Health and Human Services Office for Civil Rights Breach Portal. Did.
In March, telehealth company Cerebral reported a data breach related to Pixel trackers, saying it disclosed data on more than 3.1 million patients between October 2019 and January 2023 without obtaining HIPAA consent.
Andrea Fox is a senior editor for Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
