One-sentence summary:
PharMerica was breached by the Money Message ransomware gang in March 2023, resulting in the potential breach of over 5.8 million patients’ sensitive records.
Who was involved?
PharMerica Corporation, BrightSpring Health Services, Inc., 5,815,591 patients, and the Money Message ransomware gang.
What was the timeline?
March 12, 2023; PharMerica breach begins
March 14, 2023: PharMerica discovers the breach and the breach ends
March 21, 2023: PharMerica begins the identification of individuals affected by the breach
March 28, 2023: Money Message announces the breach (Toulas, 2023)
April 9, 2023: Deadline by Money Message ransomware gang for payment (Toulas, 2023)
May 12, 2023: PharMerica notifies HHS and begins consumer notification
What occurred?
The Money Message ransomware gang hacked PharMerica in March 2023, allowing the breach of sensitive data of over 5,815,591 patients and at least 4.7 TB of data (HHS, 2023; Toulas, 2023). Breached information potentially included: “names, dates of birth, Social Security numbers, medication lists and health insurance information” (PharMerica, n.d.).
Estimated costs:
Incident response costs, breach notification costs, identity services for “potentially affected individuals,” M-F call center
Involved laws:
Federal: HIPAA and HITECH
State: Maine: 10 M.R.S.A. § 1346
Root cause:
TBA or N/A (see disclaimer)
Lessons learned:
TBA or N/A (see disclaimer)
Sources:
HHS. (2023). Cases Currently Under Investigation. In Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. U.S. Department of Health and Human Services: Office for Civil Rights. Retrieved June 1, 2023, from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
PharMerica. (n.d.). PharMerica Notifies Individuals of Privacy Incident. In PharMerica. PharMerica Corporation. Retrieved June 1, 2023, from https://pharmerica.com/data-privacy-incident/
PharMerica (searchlogovector). (2018, September). pharmerica-logo-vector.png. Searchlogovector. https://searchlogovector.com/wp-content/uploads/2018/09/pharmerica-logo-vector.png
Toulas, B. (2023, May 15). Ransomware gang steals data of 5.8 million PharMerica patients. BleepingComputer. https://www.bleepingcomputer.com/news/security/ransomware-gang-steals-data-of-58-million-pharmerica-patients/