Pharmacy services provider PharMerica has disclosed a massive data breach impacting over 5.8 million patients, exposing their personal and medical data to hackers.

PharMerica is a pharmacy services provider in 50 U.S. states, operating 180 local and 70,000 backup pharmacies, and serving 3,100 medical facilities nationwide. Along with PharMerica, the threat actors listed BrightSpring, a health service provider that merged with PharMerica in March 2019.

What Happened?

According to a data breach notification submitted to the Office of the Maine Attorney General, hackers breached PharMerica’s system on March 12th, 2023, and stole information of 5,815,591 people.

The firm discovered the intrusion on March 14th, 2023, and its investigation determined on March 21st that client data had been stolen. However, notices of a data breach were sent to impacted individuals only last Friday, May 12th, 2023 – 53 days after ascertaining the breach.

What Information Was Stolen?

According to the data breach notification, the hackers stole the following information:

• Address
• Full Name
• Date of Birth
• Social Security Number
• Medications
• Health Insurance Information

This information is called your Personally Identifiable Information (“PII”). It tells others about you and is considered part of your identity. Businesses are required to secure this information or risk facing statutory penalties, among other legal penalties. Stolen PII can be used by identity thieves to engage in fraudulent activity using your identity.

The best way to protect yourself after a data breach is to sign up for credit and identity protection services as soon as possible. California offers extra protections and legal rights to its residents through the California Consumer Privacy Act (“CCPA”) and the Confidentiality of Medical Information Act (“CMIA”).

Money Message Ransomware Gang Publishes Hacked Data

Although PharMerica does not mention the type of hacking incident, the Money Message ransomware gang claimed the attack on March 28th, 2023, when they began publishing stolen data.

Money Message claimed to have stolen 4.7 TB of data during their attack on PharMerica, stating that it consisted of at least 1.6 million unique records of personal information.

On April 9th, 2023, the timer ran out, and the threat actors published what they claim is all of the stolen data on their extortion site. Unfortunately, the files are still available for download at this time.

To make matters even worse, a threat actor has already posted the entire data dump on a clearnet hacking forum, breaking the file into 13 parts for easier downloading.

What is PharMerica Doing To Protect My Identity?

PharMerica announced it will provide victims of the breach with a single year subscription to Experian IdentityWorks Credit 3B identity protection services.

PharMerica did not elaborate on what steps it has taken to “secure” patient information from experiencing a reoccurrence of this incident.

What Are My Legal Rights?

It is important to understand your legal rights with respect to providers protecting your identity. As a result of the breach victims will now and continue to suffer economic loss and other actual harm for which they are entitled to damages, including, but not limited to, the following:

• the disclosure of confidential information to a third party with your consent;
• losing the inherent value of of their PII;
• losing the value of access to their PII permitted by PharMerica;
• identity theft and fraud resulting from the theft of their PII;
• costs associated with the detection and prevention of identity theft and unauthorized use of their financial accounts;
• anxiety, emotional distress, and loss of privacy;
• the present value fo ongoing credit monitoring and identity theft protections services necessitated by PharMerica’s Data Breach beyond the one year offered;
• unauthorized charges and loss of use of and access to their accounts;
• lowered credit scores resulting from the credit inquiries following fraudulent activities;
• costs associated with time spent and the loss of productivity or the enjoyment of one’s life from taking time to address and attempt to mitigate and address the actual and future consequences of the data breach, including searching for fraudulent activity, imposing withdrawal and purchase limits on compromised accounts, and stress, nuisance, and annoyance of dealing with the repercussions of the Data Breach; and
• the continued, imminent, and certainty impending injury flowing from potential fraud and identity theft posed by the PII being in the possession of one or many unauthorized third parties.

Victims should note that there may also be a significant time lag between when PII is stolen and when it is misused for fraudulent purposes. According to the Government Accountability Office, which conducted a study regarding data breaches: “law enforcement officials advise that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data has been sold or posted on the Web, fraudulent use of that information may continue for years. As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm.“

Tags: data breach   Data Privacy   personal health information   Personal Identifying Information   ransomware