On April 8 that the Money Message ransomware organization attacked the national pharmacy network PharMerica and its parent company. The home and community healthcare business BrightSpring Health. Threat actors exposed evidence data, a statement was obtained from BrightSpring, and additional evidence and allegations were gained via Money Message.
Money Message informed DataBreaches on April 14 that they had locked almost all of the infrastructure of both companies – a claim at odds with BrightSpring’s claim that operations were not impacted) and that, despite some negotiations, they had reached an impasse and would continue leaking data.
PharMerica informed the office of Maine’s attorney general on May 12 about the situation, saying that 5,815,591 people were affected. There were 35,068 people that called Maine home.
An unsigned copy of a notice letter from PharMerica to a dead patient’s executor or estate administrator indicates that the company discovered unusual behavior on their network on March 14. From March 12–13, their system was breached, and some personally identifiable information was stolen, according to their investigation. Money Message has stated that the incident occurred on March 28, while their timeline places it earlier.
According to PharMerica’s notice, the sorts of data compromised included the patient’s name, address, date of birth, Social Security number, prescriptions, and health insurance information.
The executors or administrators were not given any assistance, but were told that they could acquire a copy of the decedent’s credit report from any of the three main national credit reporting companies if they so desired.
No evidence of notice to any living patient was provided, despite the fact that they claimed in their state submission that they had offered individuals affected a year of a “Experian product” for credit and identity protection services.
Although BrightSpring has released multiple press releases following the attack (including twice in the previous week), the company still has not made public the fact that it suffered a security breach. As of this writing, the HHS public breach tool does not reflect this occurrence.
Almost 6 million patients of PharMerica and BrightSpring Health may not know that their information has been leaked into the hands of hackers since April. Or perhaps the patients haven’t been informed or cautioned about this.
Conclusion
More than 5.8 million people have begun receiving letters from PharMerica, a national pharmacy network, informing them of a data breach that happened in March. In the United States, PharMerica maintains over 2,500 locations and provides over 3,100 pharmacy and healthcare programs; it is owned by BrightSpring Health, a provider of home and community-based health services. PharMerica notified the Maine Attorney General’s Office on Friday that an unauthorized third party gained access to its computer systems in March, exposing the personal information of more than 5.8 million people. In breach notification letters sent out to affected customers, the corporation states that the incident took place between March 12 and March 13.
Names, residences, dates of birth, Social Security numbers, health insurance information, and medication lists are just some of the personal details that were exposed. PharMerica recommends that any executors or surviving spouses of those whose data was hacked contact the major credit reporting companies to tell them of the situation. Despite the lack of specifics in the letter, it appears that the Money Message ransomware organization is responsible for the cyberattack that PharMerica experienced. The organization began disclosing PharMerica employees’ and patients’ PII and PHI in April, which they had allegedly obtained.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.