PharMerica announces health data breach, possibly largest of Q1 2023

The national pharmacy network, which serves long-term care, senior living and behavioral health organizations, notified patients and families that an unknown third party accessed PHI and PII in March.
By Andrea Fox
11:07 AM

Photo: Chee Gin Tan/GettyImages

PharMerica and its parent company, BrightSpring Health Services, Inc., disclosed it learned of suspicious activity on its computer network on March 14 and an internal investigation determined the unknown third party accessed computer systems from March 12-13 and may have obtained personal information.

PharMerica posted a statement to its website that said an investigation into a breach of its network "identified a data population whose personal information and limited medical information – names, dates of birth, Social Security numbers, medication lists and health insurance information – were disclosed."

In its May 12 letter to affected patients and executors of deceased patients' estates, included with its data breach notification filed with the state of Maine, the Louisville, Kentucky-based company recommends that the executors of deceased patients request a copy of a deceased individual’s credit report and notate "Deceased – Do not issue credit" or request to be notified if an application is made for credit.

Was it ransomware?

Databreaches.net has been following the breach since early April, claiming the publication had communicated with a newer "Money Message" ransomware group, which offered proof it had extorted data with screencaps. 

Money Message claimed to have 2 million PharMerica and BrightSpring Health records including Social Security numbers from 400 databases, according to a story update. The group also reportedly said it would "publish this information in geometrical progression every 48 hours," which Databreaches.net said it had.

The group claims to have nearly shut down PharMerica's operations, but the company does not say its operations have been disrupted in its sample letter filed with Maine or on its website, as of today.

Drug companies and third-party risk

The frequency of cyber-attacks increases every year, but COVID-19 set off its own panic in the pharmaceutical industry. 

A pandemic-era report by Black Kite said drug companies are at high risk for extortion attacks because of the severity a shutdown of operations would exact on the public. 

"An interruption in manufacturing lifesaving drugs or therapies would be catastrophic for many. A cyberattack on a pharmaceutical company could mean life or death for consumers," the researchers noted.

"Imagine if a ransomware attack halted a manufactured COVID-19 vaccine hostage or stopped the production of vital chemotherapy drugs," said Bob Maley, Black Kite’s chief security officer, in the report announcement.

The PharMerica data breach may be the largest reported this year thus far and may affect the largest number of individuals – and their descendants. 

In February, Regal Medical Group in California reported a large data breach related to a ransomware incident in December that the provider said affected more than 3.3 million patients, according to the U.S. Department of Health and Human Services Office for Civil Rights breach portal.

In March, the telehealth company Cerebral reported a data breach related to pixel trackers and said it disclosed the data of more than 3.1 million patients between October 2019 to January 2023 without obtaining HIPAA consent.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.