“Thousands of pharmacies & millions of people use mscripts,” the mscripts website claims. “We provide a digital communication platform to help patients stay on track with their healthcare by delivering targeted messages through a mobile and web platform tied directly to the pharmacy dispensing system,” the California firm explains.
mscripts is Cardinal Health’s mobile pharmacy company.
On January 17, mscripts®, LLC notified HHS as a business associate that 66,372 patients were affected by an incident involving unauthorized access to data in cloud storage. The incident affected patients of Phoenix-based Banner Health as well as customers at the Costco, Meijer, Giant Eagle, and Brookshire Brothers pharmacy chains.
An undated notice about a “vendor incident” on mscript’s website states mscripts recently learned of an incident involving potential unauthorized access to a cloud storage asset, but the notice does not name any vendor as being responsible for the security of the asset.
Investigation revealed that patient data was accessible from the internet without any password or authentication between September 30, 2016, and November 18, 2022. They do not reveal how the firm first discovered the problem.
“The files that were accessible included prescription order summaries related to locker pickups at participating pharmacy locations and images of prescription bottles and insurance cards submitted by pharmacy patients through the mscripts® web or mobile app. Each file would have only been accessible from the date it was submitted until November 18, 2022,” mscript wrote.
The types of information exposed without protection included patients’ names and one or more of the following:
• Order summary – date of birth, phone number, address, and prescription number;
• Prescription information – address, prescription number, medication name, and/or originating pharmacy information; or
• Health insurance information – insurance company, member ID, group number, and/or dependents’ names, if any.
mscripts states that although they have no indication that any of the involved information was accessed or misused by any unauthorized person, they began notifying patients on February 10, 2023. Their recommendations can be found in the website notice.