One of the largest pharmacy service providers in the United States has confirmed that hackers have gained access to the personal data of nearly six million patients.
PharMerica operates more than 2,500 facilities in the US and offers more than 3,100 pharmacy and healthcare programs.
In a notification of a data breach filed with the Attorney General of Maine, PharMerica said it learned of suspicious activity on its computer network on March 14. An internal investigation revealed that an “unknown third party” accessed its systems days earlier and stole the personal information of 5.8 million current and deceased individuals. including 35,000 patients in Maine.
In a letter to affected patients, the Kentucky-based company said hackers obtained patient names, dates of birth, social security numbers, medications and health insurance information.
But samples of the leaked data, seen by TechCrunch, suggest the hackers also stole at least 100 patients’ protected health information, including allergy information, Medicare numbers, and detailed diagnoses, including details about alcohol, drugs, and mental illness.
This stolen data was published on the dark web leak site of the Money Message ransomware gang, a relatively new operation observed in March, who took credit for the cyberattack. Money Message claims to have stolen a total of 4.7 terabytes of data from PharMerica and its parent company BrightSpring Health, a home and community-based health service provider.
The same ransomware gang has claimed responsibility for the cyber attack on Taiwanese hardware maker Micro-Star International, known as MSI, that compromised large amounts of data, including the company’s. private code signing keys.
Neither PharMerica nor BrightSpring Health has confirmed that the nature of the incident was ransomware, and BrightSpring Health spokesperson Leigh White did not respond to TechCrunch’s questions.
In a rack Posted on its website, PharMerica said it is taking additional steps to reduce the likelihood of a similar event occurring in the future, but did not specify what those steps are.
With nearly six million patients affected, the PharMerica incident is the largest health data breach so far this year. The second-largest breach involves Southern California medical company Regal Medical Group, which confirmed in January that the data of more than 3.3 million patients had been accessed.
Telehealth startup Cerebral, which suffered the third-largest breach, confirmed in March that the private health information, including mental health assessments, of more than 3.1 million patients in the United States was held by advertisers and social media giants.