PharMerica Cyberattack and Data Breach Affects 5.8 Million Patients

PharMerica, one of the largest pharmacy service providers in the United States, has recently confirmed that the protected health information of 5,815,591 individuals has been exposed, and potentially stolen, in a recent cyberattack. This is the largest healthcare data breach to be reported this year and the 5th largest healthcare data breach to ever be reported by a single HIPAA-regulated entity.

The Money Message ransomware group claimed responsibility for the attack on PharMerica and its parent company, BrightSpring Health Services, and started uploading the stolen data on its data leak site on March 28, 2023. The threat actor claimed a 4.7 terabyte database had been stolen that included at least 2 million records, and then threatened to publish that data if the ransom was not paid; however, the data breach proved to be even more extensive.

PharMerica detected the system intrusion on March 14, 2023. While prompt action was taken to contain the attack and prevent further unauthorized access, the ransomware group gained access to its systems on March 12, 2023, and exfiltrated data on March 12 and 13. The forensic investigation confirmed on or around April 21, 2023, that the attackers had access to a database and parts of its network that contained patient information such as names, addresses, birth dates, Social Security numbers, medication information, and health insurance information.

As is now common in breach notification letters, no mention was made about the attack involving ransomware nor that stolen data had been published on a data leak site. The stolen data was also published on a clearnet hacking forum and was split into 13 smaller chunks to make downloads easier. PharMerica said it had no reason to believe that any of the affected information had been misused for identity theft or fraud. It is unclear if the ransom was paid.

As a precaution against identity theft and fraud, affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months and PharMerica said it has reviewed its security measures and strengthened information security to prevent similar breaches in the future.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: