PharMerica health data breach affects more than 5.8 million people: Officials

PharMerica, a pharmacy services company serving patients and health organizations across the country, has reported a data breach stemming from an unauthorized party gaining access to the firm’s systems.

The breach has affected more than 5.8 million individuals, according to the Maine Office of Attorney General. The Maine AG’s office publicly reports breaches of private health information; about 35,000 of those affected are residents of Maine.

In a notice on its website, PharMerica says it is “not aware of any fraud or identity theft to any individual as a result of this incident, but is nonetheless notifying potentially affected individuals to provide them with more information and resources.”

• Read more: Government is giving more scrutiny to cyberattacks in healthcare

PharMerica, and its parent company, BrightSpring Health Services, said an investigation determined that a third party gained access to the company’s computer system March 12-23, 2023 and may have obtained private health information.

In April, the company found that the information could include dates of birth, Social Security numbers, medication lists, health insurance information, and financial account information.

PharMerica began notifying customers on May 12, according to the Maine Attorney General’s Office.

The company says it serves patients in 50 states and 3,100 facilities. PharMerica says it serves the long-term care, senior living, hospital, home infusion, hospice, behavioral, specialty and oncology pharmacy markets.

PharMerica says it will offer free identity protection and credit monitoring services for those affected, and suggests those notified should monitor their credit reports and financial accounts.

The company has also established a toll-free hotline - (866) 347-4281 - for those seeking more information. Consumers can call weekdays between 8 a.m. and 5:30 p.m., Central Standard Time.

Hundreds of breaches of private health information occurred in 2022, and a number of substantial breaches have been reported this year.

Regal Medical Group, based in southern California, said it was hit with a ransomware attack in March that potentially exposed the private health information of patients. More than 3.3 million individuals may have been affected in that breach, according to a filing with the U.S. Department of Health & Human Services’ Office of Civil Rights.

• Read more: Here are the 10 biggest health data breaches in the first quarter of 2023

Nearly 50 million Americans were affected by breaches of health data in 2022, according to an analysis by Critical Insight, a cybersecurity company. The number of breaches dropped in the second half of 2022, but more people were affected by those breaches in the last half of the year.

Many hospitals have been hit with ransomware attacks in recent years. Cybersecurity experts say they have seen a slight drop in ransomware attacks in recent months, but they urge hospitals and health systems to focus on bolstering their defenses. They also caution that bad actors could be refining their tactics, and are also looking more at smaller hospitals and organizations with fewer resources to invest in cybersecurity.