Ransomware, Breach, Incident Response

Data of 5.82M PharMerica patients stolen, accessed during cyberattack

Doctor using computer checking data patient document

More than 5.81 million patients tied to PharMerica have been notified that their data was accessed and stolen during a March cyberattack. The long-term care pharmacy solution provider reported the breach to the Office of the Maine Attorney General on May 12.

On March 14, PharMerica “learned of suspicious activity” on its network and worked to secure its systems, while launching an investigation with support from cybersecurity advisors.

The forensics showed that threat actors accessed the provider’s systems for two days and exfiltrated patient data during the dwell time. The stolen data included patient names, contract information, Social Security numbers, prescriptions, and health insurance information.

Notably missing from the breach notice to consumers is that the data was allegedly taken by the Money Message ransomware group. PharMerica appeared on its data leak website one month ago. The actors are a relatively new threat who previously claimed the cyberattack on Taiwanese PC parts maker MSI.

Despite Money Message’s claims, PharMerica’s notice says they “have no reason to believe that anyone’s information has been misused for the purpose of committing fraud or identity theft.”

PharMerica is a Fortune 1000 company that operates more than 180 facilities in all 50 states, and is the largest single-entity incident reported so far in 2023, which is on pace to become a record-breaking year for healthcare security incidents. The top eight data breaches affect over 950,000 patients each, though three of which are tied to the hack of vulnerable Fortra GoAnywhere MFT instances.

While each of the top 2022 healthcare data breaches last year affected over 1 million patients each, the majority were reported toward the end of the year and none of which reached the numbers seen in the PharMerica and GoAnywhere hacks.

The largest incidents reported by single healthcare entities this year:

While data breaches may not impact patient care, they pose another serious business and financial risk: legal filings. As confirmed by recent data and BakerHostetler research last year, incidents impacting more than 50,000 or more patients increasingly lead to lawsuits. 

NextGen reports hack of office system, impacts 1.05M

NextGen Healthcare is reporting a hack of patient data for the second time this year. A threat actor gained access to a “limited set” of personal information stored in the NextGen Office System, leading to the access of data tied to 1.05 million patients.

In January, NextGen Health was listed on the BlackCat, or ALPHV, ransomware group’s dark website. The actors claimed to have stolen a trove of information from the health IT vendor. At the time, a spokesperson confirmed to SC Media that they’re “aware of this claim” and “have been working with leading cybersecurity experts to investigate and remediate.”

The dates on the recent notice suggest this breach is separate from the earlier incident. NextGen was “alerted to suspicious activity” on the impacted systems on March 30, prompting the security team to contain the incident and reset passwords, in addition to contacting law enforcement.

The subsequent investigation found a threat actor accessed stored data between March 29 and April 14. The accessed data included patient names, dates of birth, Social Security numbers, and contact information.

NextGen is continuing to work with law enforcement on their investigation, while further reinforcing its systems security. However, some of the impacted patients have already filed at least seven data-breach lawsuits against the vendor over the incident and patient privacy impacts.

UBH cyberattack leads to access, data theft for 104K

The health data of nearly 104,000 Uintah Basin Healthcare patients was accessed and/or stolen during a November 2022 cyberattack.

Discovered on Nov. 7, UBH worked to secure the network and launched an investigation to determine the scope of the incident. While the incident was found six months ago, the notice suggests UBH did not discover the breach of protected health information until early April.

The investigation confirmed the data compromise impacted patients who received care with UBH between March 2012 and November 2022. The stolen data included names, SSNs, dates of birth, health insurance information, and some clinical data, including diagnoses, conditions, medications, test results, and procedures.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.