iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
A Fortune 1000 pharmacy services company has revealed that a malicious actor may have accessed more than 5.8 million sets of past and present patient data.
PharMerica notified the Office of the Maine Attorney-General of the breach and shared a copy of the notification letter it sent to those affected by the breach.
The company also has a notice on its website listing the information possibly compromised. It includes names, dates of birth, medication and insurance details, and Social Security numbers. The notification letter also states that mailing addresses could have been compromised.
What could be particularly distressing for some people receiving breach notifications is that some of the data belong to deceased individuals. The sample letter shared with the Maine A-G is addressed to “Dear Administrator/Executor of the Estate of …”.
One can only imagine the stress of thinking that the loss of a loved one is behind you, and then receiving such a letter.
The letter also notes the unauthorised access was first noted on 14 March 2023, with investigations revealing that the access took place over 12 and 13 March.
“Upon discovering the cyber security incident, we promptly began an internal investigation and engaged cyber security advisors to investigate and secure our computer systems,” the letter read. “The investigation determined that an unknown third party accessed our computer systems from March 12 [to] 13, 2023, and that certain personal information may have been obtained from our systems as a part of the incident.”
The Money Message ransomware group had already claimed responsibility for the hack, posting sample data on its dark website, along with screenshots that seem to suggest that two lots of data were successfully exfiltrated — one tranche of 2.67 terabytes and another of 4.88 terabytes. Some of the sample data sets seem to include remarkably sensitive information, such as alcohol and drug consumption and mental health details, according to TechCrunch, which has seen some of the samples.
“At this point, PharMerica is not aware of any fraud or identity theft to any individual as a result of this incident,” the company noted in its letter, “but is nonetheless notifying potentially affected individuals to provide them with more information and resources”.
PharMerica suggests that those worried about the identity theft of deceased loved ones make a request of “any of the three national credit reporting agencies” to have the individual listed as “Deceased – Do not issue credit”.
For those victims still living, PharMerica has offered credit monitoring and identity protection services.
PharMerica specialises in long-term care and pharmaceutical oncology and operates 330,000 beds in 41 US states.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
