Ransomware attack on PharMerica affected 5.8 million patients

While the Fortra/GoAnywhere data breach by Clop is shaping up to be the biggest, or one of the biggest, breaches affecting HIPAA-covered entities and business associates in 2023, an attack by Money Message on PharMerica is currently the largest single breach reported so far this year, with almost 6 million affected. On April 8, DataBreaches reported that PharMerica, a national pharmacy network, and its parent BrightSpring Health, a home and community-based health services provider, had been hit by the Money Message ransomware group. DataBreaches described the data the threat actors leaked as proof, obtained a statement from BrightSpring, and also obtained additional data and claims from Money Message. On April 14, Money Message informed DataBreaches that they had locked almost the entire infrastructure of both companies (a claim in conflict with BrightSpring’s claim that operations were not impacted), and that although there had been some negotiations, they had reached an impasse and would continue leaking data. They did. On May 12, PharMerica notified the Maine Attorney General’s Office about the incident, reporting that 5,815,591 people had been affected, total. Of those, 35,068 were Maine residents. In a copy of an unsigned notification letter sent to the executor or estate administrator of a deceased patient, PharMerica states that on March 14, they learned of suspicious activity on their network. Their Investigation determined that there had been unauthorized access from March 12 – March 13 that had resulted in the exfiltration of some personal information from their system. Their chronology differs from Money Message’s claim that the attack was on March 28. PharMerica’s notification indicates that the types of information involved included the person’s name, address, date of birth, Social Security number, medications, and health insurance information. No services of any kind were offered to the executors or administrators, other than advice that if they chose to, they could request a copy of the individual’s credit report, and/or place a request to any of the three national credit reporting agencies such as: “Deceased – Do not issue credit”; or “If an application is made for credit, please notify the following person(s): (e.g., list a surviving relative, executor/trustee of the estate, and/or local law enforcement agency – notifying the relationship).” No copy of any notification to a living patient was provided to the state, but their report to the state claimed that they had offered those affected 1 year of an Experian product for credit and identity protection services. There is no notice or statement linked from PharMerica’s home page or that DataBreaches could find on their site. There is no notice or statement linked from BrightSpring Health’s home page or that DataBreaches could find on their site. BrightSpring has issued a number of press releases since the attack — two in the past week, too — but didn’t manage to disclose the breach publicly? This incident does not appear as yet on HHS’s public breach tool. Has PharMerica or BrightSpring Health told the almost 6 million patients that their data is in the hands of criminals who have been leaking it since April? Or has no one warned or informed the patients about that? DataBreaches has emailed BrightSpring Health to inquire about that and to ask if the number reported for PharMerica includes BrightSpring Health patients not included in the PharMerica report or if the PharMerica report is for both PharMerica and BrightSpring Health Services. This post will be updated when a reply is received.