PharMerica, owned by BrightSpring Health, is a national pharmacy network serving partners in over 3,100 long-term care, senior living, IDD/behavioral health, home infusion, specialty pharmacy, and hospital management programs. BrightSpring® Health Services provides comprehensive home and community-based health services to complex populations needing specialized care. Both are headquartered in Kentucky.
Earlier today, the Money Message ransomware group added both entities to their leak site, claiming an attack on March 28. As proof of access, Money Message uploaded screencaps of a directory on one drive called “PhiladelphiaNC.” A second screencap showed part of a patient-related table with name, SSN, date of birth, Medicaid number, and Medicare number. There was also an Excel file with what appears to be protected health information (PHI) on 100 patients, including name, date of birth, SSN, Medicaid Number, Medicare Number, allergies, and a field with somewhat detailed diagnoses information and history.
DataBreaches attempted to verify three SSNs in the Excel file and screencap. All three of them were confirmed as valid SSNs. Two of the three SSNs were validated for Pennsylvania, and one of those two also showed the same name as in the patient table. That person was apparently in the SSDI Master Death File for 2008. The third SSN, for a male with a Hispanic name born in 1991 validated as having been issued in Puerto Rico between 1989 and 1992. A fourth patient’s SSN was validated as issued in Pennsylvania in the approximate time period as the patient’s year of birth. That individual’s name was also verified as a Philadelphia area resident in a court docket found via a Google search. Having verified 4 out of 4 names were likely actual people, DataBreaches stopped attempting to validate.
While the data appear to be for actual people and likely patients, the freshness of the data still needs to be determined. As noted above, one of the patients whose information appeared in one screencap died in 2008. Another indication that the data are not recent is that the Medicare numbers in the tables are Social Security numbers. That’s the old system, however. The Centers for Medicare & Medicaid Services switched to a Medicare Beneficiary Identifier (MBI) that replaced the SSN-based system. CMS began mailing new Medicare cards with the latest numbers in April 2018, but none of the 100 patients in the Excel sample had an MBI; those with Medicare numbers all had SSNs as their Medicare numbers.
Did the attack disrupt patient care or pharmacy order fulfillment in any way? Nothing on PharMerica or BrightSpring Health’s websites indicates any delay or disruption. DataBreaches sent inquiries through contact forms to PharMerica and BrightSprings Health Services today, but no replies have been received yet. Money Message has no contact info on their leak site, so DataBreaches will contact them once some contact information is found.
This post will be updated if a reply is received from PharMerica or BrightSprings Health Services.
Update 1 (April 10): BrightSpring Health Services provided the following statement to DataBreaches:
BrightSpring Health Services recently became aware of a cybersecurity incident that we have been investigating and addressing with the support of third-party cybersecurity experts. Additionally, we have notified law enforcement. This incident does not currently impact our operations. While the investigation into the scope of the incident is ongoing, we are aware that an unauthorized actor claims to have taken certain data from our systems. We are working diligently to review any files involved to determine their contents. If we determine any patients’ sensitive information is involved, we will notify them as quickly as possible and in accordance with applicable law.
We regret any concern this incident may cause. The privacy and security of the patient information we maintain is one of our top priorities. With our internal expert team, investment in cybersecurity, and the help of our third-party cybersecurity experts, we will continue to implement best practice technology protocols and take steps to protect the data entrusted to us.
When asked whether their statement also applied to PharMerica’s operations, their spokesperson replied that as the parent company of PharMerica, the statement applied to them, too.
Also today, Money Message leaked more data with a note, “We have 2 millions records of that type and we’ll publish them if they don’t want to pay. Each time we’ll publish more and more records at once.” The leak appears to include personal and protected health information and has the name of “MethodistVillageAL” on the files.
Money Message did not respond to most of the questions DataBreaches put to them in an email, writing instead:
We have 2m records including: ssn , dob , p4 data and many more data
We will publish this information in geometrical progression every 48 hours
We have 400 databases from this company.
It is still not confirmed whether Money Message locked files or just exfiltrated in this case.
Update 2 (April 14): Money Message responded to this site’s previously emailed inquiries. They provided some files showing patient data from four different facilities in North Carolina and one in Alabama. The files had the following fields:
ID SSN PatientCode FirstName MI LastName County DOB MaritalStatus LevelOfService Birthplace Sex MedicaidNum MedicareNum OtherInsName OtherInsNum OtherInsGroupNum Comments Disabled PhysicianID AltPhysicianID DentistID DiagnosisID PharmacyID Payer Hospital EducationLevel FuneralHome RehabPotential Diagnosis DiagnosisText Prognosis Religion AdmittedFrom DatesOfStay1 DatesOfStay2 Nickname Race AmbulancePreference PreviousOccupation PatientAware NameOfChurch PharmacyMPS PharmacyOutside AdmissionNumber AllergiesText DiagnosesText TestPatient Notes
In response to specific questions, Money Message’s spokesperson said that they had accessed all servers and locked almost the entire infrastructure of the companies (a claim which seems somewhat inconsistent with BrightSpring’s statement that the incident wasn’t impacting operations).
When asked whether the victim had contacted them to try to negotiate anything, the spokesperson also stated that there had been some negotiations, but the negotiations had reached an impasse.
Money Message has continued to dump more data, as it threatened.