PharMerica, a pharmacy service provider operating in the US, announced a data breach compromising the personal data of nearly six million patients.
With a presence in over 2,500 facilities, PharMerica offers an extensive range of 3,100 pharmacy and healthcare programs. The cyber security incident was discovered following the detection of suspicious activity on the company’s computer network on March 14, TechCrunch reported.
Following an internal investigation, it was determined that an unauthorized third party had recently breached PharMerica’s systems, resulting in the compromise of personal information belonging to 5.8 million individuals, including both current and deceased patients. Among those affected, 35,000 patients were based in Maine, according to a data breach notification filed with the state’s Attorney General by PharMerica.
Hackers managed to access patients’ names, dates of birth, Social Security numbers, medication details, and health insurance information, as confirmed in a letter sent to affected patients. Additionally, the attackers obtained protected health information for at least 100 patients, including allergy information, Medicare numbers, and detailed diagnoses covering alcohol, drug, and mental health-related illnesses.
The stolen data was subsequently published on the dark web leak site associated with the Money Message ransomware gang. This group claimed responsibility for the breach and stated that they had successfully acquired a total of 4.7 terabytes of data from PharMerica and its parent company, BrightSpring Health, which specializes in home and community-based health services. However, neither PharMerica nor BrightSpring Health have officially confirmed whether the incident involved ransomware, as noted in the report.
In a separate breach incident, Cerebral, a telehealth startup, disclosed that it had inadvertently shared private health information, including mental health assessments, of over 3.1 million patients with major advertisers and social media platforms such as Facebook, Google, and TikTok. The breach, ranking as the third-largest in terms of affected individuals, occurred when Cerebral shared personal and health data of users who utilized the app to seek therapy. This disclosure was made through a filing with the federal government.