AllCare Plus Pharmacy, Inc. is an IQVIA business in Massachusetts. This week, they notified the Maine Attorney General’s Office of a phishing incident that affected 5,971 patients.
According to their notification, on June 21, 2022, AllCare discovered that some employees had received phishing emails. Their investigation revealed that some of the employees’ accounts had been compromised, and the attacker accessed certain accounts containing patient information. The types of information in those email accounts included name, address, date of birth, Social Security number, other types of identity information, financial information, and health information such as health insurance information about prescription and treatment information.
AllCare’s notice does not indicate when the phishing attack occurred, but only when they discovered it. Other data they provided to Maine indicates that the phishing attack was on April 14, 2022, so it appears it took them more than two months to discover it.
On March 13, AllCare notified those affected, offering them 24 months of complimentary identity theft and mitigation services.
This incident does not yet appear on HHS’s public breach tool.
In February, IQVIA provided notice on behalf of clients of Advanced Health Media involving a November 2022 hacking incident. That incident affected 26,932 individuals, but it was not clear from their notification whether the individuals were all employees or if this also involved protected health information.