Sav-Rx Reports Massive Data Breach Affecting 2.8 Million People

Sav-Rx, a pharmacy benefit management company, is notifying 2.8 million people that their personal and protected health information was stolen in a cyberattack last year.
A&A Services, which operates as Sav-Rx, provides prescription drug management services to employers, unions, and other organizations in the United States. On October 8, 2023, a cyberattack was detected when the company experienced network interruption. The disruption was short-lived โ its IT systems were restored the following day โ however, the investigation took 6 months to determine that the threat actor behind the attack exfiltrated files containing patient information from non-clinical systems between October 3, 2023, and October 8, 2023, and a further two months to issue individual notifications to the 2,812,336 affected people.
Sav-Rx said the lengthy investigation was due to the company trying to minimize interruption to patient care and its reluctance to rush to conclude the investigation to ensure accurate results. The investigation was completed on April 30, 2024, and the affected health plan customers were notified between April 30, 2024, and May 2, 2024. Sav-Rx then reached an agreement with the affected health plans regarding the issuing of notification letters, which were mailed to the affected individuals on May 24, 2024.
The affected individuals were current and former employees and current and former members of health plans that used Sav-Rxโs medication benefit management services. The information stolen in the attack included full names, dates of birth, email addresses, home addresses, phone numbers, Social Security numbers, eligibility information, and insurance identification numbers. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months. Since the information stolen in the attack can be used for identity theft and fraud, affected individuals should ensure they take advantage of those services and monitor their accounts for signs of fraud.
Sav-Rx has implemented a range of measures following the security breach to harden security and prevent similar incidents in the future. Those measures include the creation of a 24/7 security operations center, implementing multi-factor authentication on critical accounts, enhancing geo-blocking, strengthening Linux security, upgrading firewalls and switches, implementing BitLocker encryption for stored data, and network segmentation.
This is the third-largest healthcare data breach to be confirmed this year, behind the 13.4 million record website tracking technology breach at Kaiser Foundation Health Plan, Inc. and the 3,998,162 record data breach at Concentra Health Services, Inc. The size of the data breach at Change Healthcare has yet to be confirmed but it could affect 1 in 3 Americans. These four breaches alone are likely to involve more healthcare records than all 725 healthcare data breaches reported in 2023.