About 6 million customers of the nationally popular pharmacy service provider had their personal, health insurance and medical data exposed in cyberattacks in March.
PharMerica serves from over 70,000 back-up and local pharmacies across 50 states and 3,100 additional facilities.
But in a complaint letter released by the Maine Attorney General’s Office, it was revealed that the Louisville-based company suffered a serious incident on March 12.
It was discovered by a third party on March 14, and the breach lasted two days and was found to have led to the exposure of customers’ personal information, the letter explains.
“We are conducting a comprehensive review of potentially affected data to identify whose information may have been obtained,” it continued.
“On March 21, 2023, we determined that the data contained personal information such as the name, address, date of birth, social security number, medications, and health insurance information of the person identified above.”
For more information on healthcare breaches, see NextGen Healthcare Data Breach: 1 Million Patient Records Affected.
The pharmacy giant optimistically argued that “there is no reason to believe that anyone’s information has been misused for fraud or identity theft purposes.”
But last month, cybersecurity researchers revealed on social media that the breach was the result of a ransomware attack by the relatively new Money Message group. This shows that stolen data is sold and/or monetized in the cybercriminal underground.
In fact, according to screenshots, the group began publishing stolen data on March 28. Posted on Twitter.
The rest of the alleged 4.7TB data pile was uploaded to the leak site by April 9th. Money Message also claimed to have data from BrightSpring Health Services, which merged with PharMerica in a $1 billion deal in 2019.
Farmerica is offering one year’s worth of Experian’s free privacy service to victims of the breach.
