Nearly six million customers of a popular nationwide pharmacy services provider have had their personal, health insurance and medical data exposed in a March cyber-attack.
PharMerica provides services from over 70,000 backup and local pharmacies and 3100 additional facilities across 50 states.
However, in a breach notification letter published by the Office of the Maine Attorney General, it revealed that the Louisville-headquartered firm suffered a serious incident on March 12 this year.
Discovered by a third party on March 14, the breach was found to have lasted two days and led to the compromise of customers’ personal information, the letter explained.
“We have been conducting a comprehensive review of the potentially affected data to determine whose information may have been obtained,” it continued.
“On March 21, 2023, we determined that the data contained personal information that included the above-referenced person’s name, address, date of birth, Social Security number, medications and health insurance information.”
Optimistically, the pharmacy giant claimed that it has “no reason to believe that anyone’s information has been misused for the purpose of committing fraud or identity theft.”
However, cybersecurity researchers revealed on social media last month that the breach was the result of a ransomware attack by the relatively new Money Message group. That would indicate that the stolen data will be sold and/or monetized on the cybercrime underground.
In fact, the group began publishing the stolen data on March 28, according to the screenshots posted to Twitter.
The remainder of a claimed trove of 4.7TB of data was uploaded to the leak site by April 9. Money Message also claimed to have data from BrightSpring Health Services, which merged with PharMerica in a $1b deal back in 2019.
PharMerica is offering a year’s worth of free identity protection services from Experian to those affected by the breach.