Washington, D.C. – PharMerica, one of the largest pharmacy service providers in the United States, has disclosed a significant data breach that compromised the personal data of almost six million patients. The breach raises concerns about the security of sensitive healthcare information and underscores the growing threat posed by cybercriminals targeting the healthcare sector.
PharMerica operates a vast network of over 2,500 facilities nationwide, offering a wide range of pharmacy and healthcare programs encompassing more than 3,100 services. The breach came to light after the company detected suspicious activity on its computer network on March 14.
An internal investigation revealed that an unknown third party had gained unauthorized access to its systems several days prior, ultimately pilfering the personal information of 5.8 million individuals, both current and deceased. Among those affected, approximately 35,000 patients were based in Maine.
According to PharMerica’s notification to the attorney general of Maine, the stolen data includes patients’ names, dates of birth, Social Security numbers, medication details, and health insurance information. However, a review of samples of the leaked data suggests that the hackers also obtained protected health information for at least 100 patients.
This additional information comprises details such as allergy information, Medicare numbers, and comprehensive diagnoses, encompassing alcohol, drug, and mental health-related illnesses.
The dark web leak site of the Money Message ransomware gang, a relatively new cybercriminal operation first identified in March, hosted samples of the stolen data. The gang claimed responsibility for the cyberattack on PharMerica and its parent company, BrightSpring Health, a provider of home and community-based health services.
In their announcement, Money Message asserted that they had successfully exfiltrated 4.7 terabytes of data from both companies. Notably, the same ransomware gang had previously targeted Taiwanese hardware manufacturer Micro-Star International (MSI), compromising significant volumes of data, including the company’s private code-signing keys.
Neither PharMerica nor BrightSpring Health has officially confirmed that the incident involved ransomware. BrightSpring Health spokesperson Leigh White did not respond to inquiries from TechCrunch seeking clarification.
In a statement published on its website, PharMerica assured patients that it is implementing additional measures to reduce the likelihood of similar incidents occurring in the future. However, the company did not provide specific details about these security enhancements.
With nearly six million patients affected, the PharMerica data breach represents the largest healthcare data breach reported thus far in 2023. The second-largest breach involved Southern California medical firm Regal Medical Group, which confirmed in January that the personal information of over 3.3 million patients had been compromised.
Additionally, telehealth startup Cerebral suffered the third-largest breach, acknowledging in March that it had shared private health information, including mental health assessments, of more than 3.1 million patients with advertisers and social media platforms in the United States.
The incident serves as a stark reminder of the pressing need for robust cybersecurity measures within the healthcare industry. The theft of sensitive personal and health information poses significant risks to individuals, including potential identity theft and fraud. As cybercriminals continue to target the healthcare sector, organizations must prioritize data protection and strengthen their security frameworks to safeguard patient information.