While going through NYS’s response to a FOI request I submitted, I came across a breach submitted by American Express that affected 49 people. Because it’s less than 500, it would not appear on HHS’s breach tool, and I never saw anything in the media about it.
Reportedly, the breach involved malware intrusions affecting two of Medical Center Pharmacy‘s stores – one at Grande Street in Statesboro, Georgia and one on Fair Road in Statesboro, Georgia. The breach occurred on August 19, 2011, American Express was informed of the breach by law enforcement on October 2, 2011, and AmEx consumers were notified on January 12, 2012. The credit/debit card breach involved names, card numbers, expiration dates, Track 1 and Track 2 data.
But the Georgia pharmacy breaches weren’t the only ones I found in going through the files. It appears that at least three five pharmacies on Long Island were all hacked in February 2012:
- 110 Pharmacy & Surgical experienced a breach on February 1 2012 and that was described as a hacking incident by Discover Financial Services, who reported the breach to NYS. Fifteen Discover cardholders were affected by the incident; the total number is not reported as the entity didn’t report the breach directly.
- Barth’s Drug Store was also hacked on February 1. Two Discover card members were affected.
- Sag Harbor Pharmacy was also hacked on February 1. Seven Discover card members were affected.
- Centereach Pharmacy reportedly was hacked on February 6, 2012. Again, the incident was reported by Discover, so all we know is that 6 Discover card holders were affected by the incident. As is Discover’s practice, the compromised card numbers were cancelled and new cards issued.
- Service Pharmacy Norwich reportedly was hacked on February 20, 2012. Five Discover cardholders were affected.
Meanwhile, further north in New York, Service Pharmacy Sherburne was hacked on February 16; 13 Discover card numbers were compromised.
Since I don’t generally see reports of pharmacy hacks in NYS files (or other states’ file, for that matter), it suggests something targeted was going on that month. Do pharmacies communicate and share such attacks with each other or did card issuers notify pharmacies if it appeared there were attackers out there that might be targeting pharmacies? While the attackers may have been after the credit and debit card information, pharmacy networks generally contain a lot of sensitive information that is also ripe for misuse.