ARx Patient Solutions and its affiliate pharmacy, ARx Patient Solutions Pharmacy, have issued a press release about a data breach affecting patient data.
Their notice states, “It was determined that in March 2022, an employee email account was compromised and accessed by an unauthorized third party.” The types of patient information that may have been accessed or acquired included names, dates of birth, medical information, and health insurance information, and in some limited cases, Social Security numbers.
The press release also states that, “On discovery of the incident, ARx Patient Solutions disabled the account, contained the disruption, engaged an industry-leading cybersecurity firm to complete an investigation, and accelerated implementation of our key initiatives to strengthen our systems and security protocols.”
But when was that? When did they first discover the incident?
ARx Patient Solutions seems to have responded to the incident with significant efforts to strengthen their security. They write that they “strengthened our systems and security protocols for our employees, patients and customers by implementing extended detection and response (XDR) and threat monitoring systems, proactive vulnerability management programs, active systems scanning, policy additions, and significant investments in the Security Operations department.”
That sounds good, but leaves one wondering how weak their security was at the time of the incident.
DataBreaches emailed ARx to inquire more about the discovery of this incident, asking:
1. When did ARx first become aware that there had been some abnormal activity or that there was something it needed to investigate?
2. How did it first become aware that there was a problem or breach?
3. Can ARx explain why it took more than a year to discover or disclose this breach?
No reply was immediately available, but this post will be updated when a reply is received.
The press release can be found at https://www.businesswire.com/news/home/20230630487715/en/ and a notice has also been posted at ARx’s website. Neither indicate how many patients are being notified. This incident is not on HHS’s public breach tool at publication time.