PharMerica data breach impacts more than 5.8 million individuals

National pharmacy network PharMerica discloses a data breach that impacted more than 5.8 million individuals.

National pharmacy network PharMerica disclosed a data breach that exposed the personal information of 5,815,591 individuals. The incident took place in March and the company started notifying the impacted individuals via letter.

The company is the second largest in the institutional pharmacy services market, with revenues of $1.9 billion and a customer base of 330,000 “beds” in 41 U.S. states. PharMerica provides its services to senior living communities, nursing facilities, public health organizations and post-acute care organizations.

“On March 14, 2023, we learned of suspicious activity on our computer network. Upon discovering the cybersecurity incident, we promptly began an internal investigation and engaged cybersecurity advisors to investigate and secure our computer systems.” reads the letter sent to the impacted individuals and shared with the Maine Attorney General’s Office. “The investigation determined that an unknown third party accessed our computer systems from March 12-13, 2023, and that certain personal information may have been obtained from our systems as a part of the incident.”

The company believes that the compromised information has not been misused for fraudulent activities or identity theft.

The security breach occurred between March 12 and March 13, threat actors had access to person’s name, address, date of birth, Social Security number, medications and health insurance information.

In response to the incident, the company enhanced its technical security measures.

The company warns that in some cases, exposed data belong to deceased individuals, for this reason, PharMerica encourages executors or surviving spouses to contact the national credit reporting agencies to request a copy of a deceased individual’s credit report along with making one of the following
notations:

• “Deceased – Do not issue credit”; or
• “If an application is made for credit, please notify the following person(s): (e.g., list a surviving
  relative, executor/trustee of the estate, and/or local law enforcement agency – notifying the
  relationship).”

Who is behind the attack?

PharMerica did not provide details about the attack, but the Money Message ransomware group claimed responsibility for the security breach and added the company to the list of victims on its Tor Leak site.

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PharMerica)