PharMerica and its parent company, BrightSpring Health Services, Inc., disclosed that they became aware of suspicious activity on their computer network on March 14, and an internal investigation identified a third party. unidentified accessed computer systems between March 12 and 13 and may have obtained personal information.
PharMerica posted a statement on its website saying an investigation into its cyber breach “identified a pool of data with limited personal and medical information – name, date of birth, Social Security numbers, drug lists and health insurance information – have been leaked.”
In a May 12 letter to affected patients and executors of deceased patients’ wills, accompanied by a data breach notice sent to the state of Maine, the Louisville-based company , Kentucky recommends that executors of deceased patients’ wills request a copy of a deceased individual’s will. credit report and note “Dead – No Credit Granted” or ask to be notified if a credit application is made.
Is it ransomware?
Databreaks.net has been tracking the breach since early April, claiming that the publication contacted a newer group of “Money Message” ransomware, providing evidence that it extorted data with screenshots image.
Money Message claims to have 2 million PharMerica and BrightSpring Health records including social security numbers from 400 databases, according to a story update. The group also said it would “publish this information exponentially every 48 hours,” Databreaks.net said it already had.
The group claims to have virtually shut down PharMerica’s operations, but the company didn’t say its operations were disrupted in a sample letter to Maine or on its website as of today.
Pharmaceutical companies and third party risks
The frequency of cyberattacks increases every year, but COVID-19 has caused panic of its own in the pharmaceutical industry.
A Black Kite pandemic-era report said pharmaceutical companies were at high risk of blackmail attacks because of the severity the shutdown would pose to the public.
Disruption to the production of a life-saving drug or therapy would be catastrophic for many people. A cyberattack on a pharmaceutical company could mean life or death, the researchers note. to consumers”.
“Imagine if a ransomware attack stopped hostage a COVID-19 vaccine being manufactured or stopped production of key chemotherapy drugs,” said Bob Maley, chief security officer of Black Kite.
The PharMerica data breach is possibly the largest reported breach this year and could affect the largest number of individuals – and their descendants.
In February, Regal Medical Group in California reported a major data breach related to a December ransomware incident that the vendor said affected more than 3.3 million patients, according to the portal. violates the Civil Rights of the United States Department of Health and Human Services.
In March, telemedicine company Cerebral reported a data breach involving pixel trackers and said it had exposed the data of more than 3.1 million patients over a period of time. from October 2019 to January 2023 without HIPAA consent.
Andrea Fox is the senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
