A&A Services, which does business as Sav-Rx, is notifying 2,812,336 patients of a hacking incident in October 2023.
According to its submissions to the California and Maine attorneys general, Sav-Rx detected an interruption to their network on October 8, 2023. By the next day, their IT systems were restored and prescriptions were shipped on time without delay.
The investigation took 6 months. They write:
“As part of the investigation, we learned that an unauthorized third party was able to access certain non-clinical systems and obtained files that contained health information. After an extensive review with third-party experts, on April 30, 2024, we discovered that some of the data accessed or acquired by the unauthorized third party may have contained your protected health information. Based on the results of the forensic investigation, we believe the unauthorized third party first accessed the IT System on or around October 3, 2023.”
Their notification template does not list all the protected health data types involved, but it does contain a statement after using variable fields: “Please note that other than these data elements, the threat actor did not have access to your clinical or financial information.” The submission to Maine indicates that Social Security numbers were involved.
An FAQ on Sav-Rx’s website provides some additional explanation. In response to a question as to why Sav-Rx would have someone’s data, they respond:
Either you are a current or former employee or we provide medication benefit management services to your current or former health plan, and we receive certain information about you to deliver these services. Please note that your actual prescription information was not affected, only the information we maintain to provide medication benefit management services to these health plans.
Sav-Rx is offering those notified complimentary access to 24 months of credit monitoring and identity theft restoration services through Equifax.