DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Ransomware attack on PharMerica affected 5.8 million patients

Posted on May 13, 2023 by Dissent

While the Fortra/GoAnywhere data breach by Clop is shaping up to be the biggest, or one of the biggest, breaches affecting HIPAA-covered entities and business associates in 2023, an attack by Money Message on PharMerica is currently the largest single breach reported so far this year, with almost 6 million affected.

BrightSpring Health and PharMerica logos

On April 8, DataBreaches reported that PharMerica, a national pharmacy network, and its parent BrightSpring Health, a home and community-based health services provider, had been hit by the Money Message ransomware group. DataBreaches described the data the threat actors leaked as proof, obtained a statement from BrightSpring, and also obtained additional data and claims from Money Message. On April 14, Money Message informed DataBreaches that they had locked almost the entire infrastructure of both companies (a claim in conflict with BrightSpring’s claim that operations were not impacted), and that although there had been some negotiations, they had reached an impasse and would continue leaking data.

They did.

On May 12, PharMerica notified the Maine Attorney General’s Office about the incident, reporting that 5,815,591 people had been affected, total. Of those, 35,068 were Maine residents.

In a copy of an unsigned notification letter sent to the executor or estate administrator of a deceased patient, PharMerica states that on March 14, they learned of suspicious activity on their network. Their Investigation determined that there had been unauthorized access from March 12 – March 13 that had resulted in the exfiltration of some personal information from their system. Their chronology differs from Money Message’s claim that the attack was on March 28.

PharMerica’s notification indicates that the types of information involved included the person’s name, address, date of birth, Social Security number, medications, and health insurance information.

No services of any kind were offered to the executors or administrators, other than advice that if they chose to, they could request a copy of the individual’s credit report, and/or place a request to any of the three national credit reporting agencies such as:

“Deceased – Do not issue credit”; or
“If an application is made for credit, please notify the following person(s): (e.g., list a surviving relative, executor/trustee of the estate, and/or local law enforcement agency – notifying the relationship).”

No copy of any notification to a living patient was provided to the state, but their report to the state claimed that they had offered those affected 1 year of an Experian product for credit and identity protection services.

There is no notice or statement linked from PharMerica’s home page or that DataBreaches could find on their site.

There is no notice or statement linked from BrightSpring Health’s home page or that DataBreaches could find on their site. BrightSpring has issued a number of press releases since the attack — two in the past week, too — but didn’t manage to disclose the breach publicly?

This incident does not appear as yet on HHS’s public breach tool.

Has PharMerica or BrightSpring Health told the almost 6 million patients that their data is in the hands of criminals who have been leaking it since April?  Or has no one warned or informed the patients about that? 

DataBreaches has emailed BrightSpring Health to inquire about that and to ask if the number reported for PharMerica includes BrightSpring Health patients not included in the PharMerica report or if the PharMerica report is for both PharMerica and BrightSpring Health Services.  This post will be updated when a reply is received.

 

 

Related posts:

  • PharMerica and BrightSpring Health Services hit by Money Message (update2)
  • The Ransomware Superhero of Normal, Illinois
Category: Breach IncidentsCommentaries and AnalysesHealth DataMalwareOf NoteU.S.

Post navigation

← Student Medical Records May Have Been Taken in San Diego Unified Hack
Warnings over NHS data privacy after ‘stalker’ doctor shares woman’s records →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.