Pierluigi Paganini May 27, 2024

Prescription service firm Sav-Rx disclosed a data breach that potentially impacted over 2.8 million people in the United States.

Prescription service company Sav-Rx disclosed a data breach after 2023 cyberattack. The company is notifying 2,812,336 individuals impacted by the security breach in the United States.

A&A Services, which operates as Sav-RX, shared with the Maine Attorney General’s office the data breach notification letter sent to the impacted individuals.

The investigation conducted by the company with the help of external cybersecurity experts revealed that threat actors first gained access to the IT System on or around October 3, 2023.

“On October 8, 2023, we identified an interruption to our computer network. As a result, we immediately took steps to secure our systems and engaged third-party cybersecurity experts. Our information technology systems (“IT System”) were restored the next business day, and prescriptions were shipped on time without delay.” reads the letter sent to the impacted individuals. “As part of the investigation, we learned that an unauthorized third party was able to access certain non-clinical systems and obtained files that contained health information. After an extensive review with third-party experts, on April 30, 2024, we discovered that some of the data accessed or acquired by the unauthorized third party may have contained your protected health information.”

Compromised data includes full name, date of birth, Social Security Number (SSN), email address, physical address, phone number, eligibility data, and insurance identification number.

Sav-Rx took eight months to notify impacted individuals to avoid impacting patient care with its investigation.

“Our initial priority was restoring systems to minimize any interruption to patient care.” states the company. “The incident did not affect our pharmacy systems, including those systems related to our mail order pharmacy. Not all customers were impacted, and not all health plan participants were impacted.”

The company promptly notified law enforcement authorities. Sav-Rx worked with external cybersecurity experts to contain the incident and ensure any data stolen from the company was destroyed and not further disseminated.

The firm pointed out that the incident had a limited impact on its operations, its IT system was restored
the next business day and there was no delay in the shipment of prescriptions.

The prescription service provider also announced it has enhanced its security protocols, controls, technology, and training.

Sav-Rx is offering impacted individuals complimentary access to 24 months of credit monitoring and identity theft restoration services provided by Equifax.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)