PharMerica Breach: The Lure of Health Care Data
Two months after noticing suspicious activity in its systems, PharMerica disclosed that nearly six million patients had their health care data stolen by threat actors.
The large pharmacy services company, which has more than 2,500 locations in the U.S., filed a data breach notification in May 2023. PharMerica noted that a third party had gained access to patient data in early March 2023. The identity of the third party is not yet known, but the attackers took personal information, including social security numbers, birthdates and insurance information about 5.8 million patients, some of whom are deceased.
Sensitive Data
But, according to TechCrunch, which viewed samples of the data published on the Money Message ransomware gang’s dark web site, hackers also nicked “protected health information of at least 100 patients,” such as data about allergies, diagnoses and mental health issues.
“The attack was orchestrated by the newly emerged Money Message ransomware gang, which targets global companies, extracting sensitive data and demanding hefty ransoms for its return,” said Craig Jones, vice president of security operations at Ontinue.
“Known for its double extortion technique, Money Message not only encrypts the victim’s data but also threatens to leak it if the ransom is not paid,” said Jones. “While their encryption methods may not be highly sophisticated, the group has been successful in exfiltrating and encrypting data from a number of organizations since their appearance in late March 2023.”
Health Care is Among the Most Targeted Industries
Threat actors continue to ply their trade in health care information and patient data because it remains lucrative—and probably will for the foreseeable future. “Health care is among the most-targeted industries because health care organizations have a high volume of sensitive data stored in the cloud. In addition, health data is more valuable because it is rather permanent. For example, a stolen health record may include a social security number, which can be used to obtain services or prescriptions fraudulently,” said Jasmine Henry, senior director of data security and privacy at JupiterOne. “Additionally, an individual can’t easily cancel their health record like they can with stolen credit card information,” for instance, Henry said.
Take PharMerica, for example. “The data breach extended beyond basic personal information to include protected health data, exposing patients’ allergy information, detailed diagnoses and Medicare numbers,” Jones said. “This depth of information could have far-reaching implications for affected individuals, opening them up to potential identity theft or fraudulent activity.”
Jones urged companies—health care and otherwise—to take greater care. “As the digital landscape continues to evolve, so do the threats that organizations face. It is crucial for companies, especially those handling sensitive health data, to adopt robust cybersecurity measures to safeguard against such breaches,” said Jones. “PharMerica has pledged to take steps to prevent future incidents, but the specifics remain undisclosed. The health care sector must remain vigilant against such threats, prioritizing the protection of patient data in their cybersecurity strategies.”
Some security professionals called for PharMerica to share more technical details about the data breach. “As the investigation continues, we hope PharMerica will release a more detailed technical analysis on the ransomware incident,” said Mohit Tiwari, co-founder and CEO at Symmetry Systems. “This incident also further illustrates the need for greater data visibility and control and a comprehensive approach to ransomware resilience, involving a data-centric security strategy that can detect anomalous data behaviors and help quickly identify what data is at risk.”