DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Ransomware attack on PharMerica affected 5.8 million patients

Posted on May 13, 2023 by Dissent

While the Fortra/GoAnywhere data breach by Clop is shaping up to be the biggest, or one of the biggest, breaches affecting HIPAA-covered entities and business associates in 2023, an attack by Money Message on PharMerica is currently the largest single breach reported so far this year, with almost 6 million affected.

BrightSpring Health and PharMerica logos

On April 8, DataBreaches reported that PharMerica, a national pharmacy network, and its parent BrightSpring Health, a home and community-based health services provider, had been hit by the Money Message ransomware group. DataBreaches described the data the threat actors leaked as proof, obtained a statement from BrightSpring, and also obtained additional data and claims from Money Message. On April 14, Money Message informed DataBreaches that they had locked almost the entire infrastructure of both companies (a claim in conflict with BrightSpring’s claim that operations were not impacted), and that although there had been some negotiations, they had reached an impasse and would continue leaking data.

They did.

On May 12, PharMerica notified the Maine Attorney General’s Office about the incident, reporting that 5,815,591 people had been affected, total. Of those, 35,068 were Maine residents.

In a copy of an unsigned notification letter sent to the executor or estate administrator of a deceased patient, PharMerica states that on March 14, they learned of suspicious activity on their network. Their Investigation determined that there had been unauthorized access from March 12 – March 13 that had resulted in the exfiltration of some personal information from their system. Their chronology differs from Money Message’s claim that the attack was on March 28.

PharMerica’s notification indicates that the types of information involved included the person’s name, address, date of birth, Social Security number, medications, and health insurance information.

No services of any kind were offered to the executors or administrators, other than advice that if they chose to, they could request a copy of the individual’s credit report, and/or place a request to any of the three national credit reporting agencies such as:

“Deceased – Do not issue credit”; or
“If an application is made for credit, please notify the following person(s): (e.g., list a surviving relative, executor/trustee of the estate, and/or local law enforcement agency – notifying the relationship).”

No copy of any notification to a living patient was provided to the state, but their report to the state claimed that they had offered those affected 1 year of an Experian product for credit and identity protection services.

There is no notice or statement linked from PharMerica’s home page or that DataBreaches could find on their site.

There is no notice or statement linked from BrightSpring Health’s home page or that DataBreaches could find on their site. BrightSpring has issued a number of press releases since the attack — two in the past week, too — but didn’t manage to disclose the breach publicly?

This incident does not appear as yet on HHS’s public breach tool.

Has PharMerica or BrightSpring Health told the almost 6 million patients that their data is in the hands of criminals who have been leaking it since April?  Or has no one warned or informed the patients about that? 

DataBreaches has emailed BrightSpring Health to inquire about that and to ask if the number reported for PharMerica includes BrightSpring Health patients not included in the PharMerica report or if the PharMerica report is for both PharMerica and BrightSpring Health Services.  This post will be updated when a reply is received.

 

 

Category: Breach IncidentsCommentaries and AnalysesHealth DataMalwareOf NoteU.S.

Post navigation

← Student Medical Records May Have Been Taken in San Diego Unified Hack
Warnings over NHS data privacy after ‘stalker’ doctor shares woman’s records →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Trump Rewrites Cybersecurity Policy in Executive Order
  • AMI Group – Travel & Tours notice of ransomware attack
  • Resource: Insider Threat reports
  • Za: Cyber extortionist sentenced to eight years in jail
  • ICE takes steps to deport the Australian hacker known as “DR32”
  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Privacy Victory! Judge Grants Preliminary Injunction in OPM/DOGE Lawsuit
  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.