Pharmacy giant PharMerica says medical info of nearly 6 million patients leaked

One of the world’s largest pharmacy companies announced a data breach on Friday involving the sensitive personal data of nearly six million people.

In breach notification letters sent out on Friday, PharMerica said it discovered a hack on March 14 and immediately hired a cybersecurity firm to conduct an investigation. With 5,500 employees, it is the second largest institutional pharmacy services company in the United States, and brought in $2.1 billion in revenue in 2022. It works closely with senior citizen centers, nursing homes and other long-term healthcare facilities across the country.

The investigation found that an “unknown third party” breached the company’s computer system for two days, on March 12 and 13.

“On March 21, 2023, we determined that the data contained personal information that included the above-referenced person’s name, address, date of birth, Social Security number, medications and health insurance information,” the notice said.

The company notified regulators in Maine that more than 5.8 million people were affected by the incident.

One unusual aspect of the breach notification letter was a warning about the potential for the information of deceased victims to be exploited by hackers.

The company said an executor or surviving spouse can place a request to any of the three national credit reporting agencies for a copy of a deceased individual’s credit report if there are concerns that the information is being used for things like opening credit cards or taking out loans.

The letter does not say if identity protection services are being offered but Maine regulators said victims are being given one year’s access to Experian identity protection services.

The company did not respond to requests for comment about the particulars of the cyberattack. But on March 28, the Money Message ransomware group added the company to its leak site alongside its parent company BrightSpring Health Services.

The group claims to have stolen 4.7 terabytes of data in the attack and released the information on its leak site on April 7. BleepingComputer reported that since the data was posted, it has shown up on other hacker forums.

The ransomware gang appears to have only emerged in the last two months.

Researchers at the threat intelligence company Cyble said last month that the group has already targeted more than five publicly disclosed victims, with the majority of them from the U.S.

“In a specific instance, the group demanded a ransom of $500,000, which may vary depending on the targeted organization’s revenue,” the researchers said.

The group claimed an attack on Taiwanese hardware maker Micro-Star International (MSI) in April.

PharMerica is the latest healthcare giant to be attacked in recent months following a string of incidents involving Sun Pharmaceuticals – the fourth-largest specialty generic pharmaceutical company in the world – hospital technology company NextGen Healthcare, healthcare software company Independent Living Systems and medical device maker Zoll.

Each of the attacks on NextGen Healthcare, Independent Living Systems and Zoll involved the theft of troves of information from millions of patients that were subsequently leaked online.