Knowledge of 5.82M PharMerica sufferers stolen, accessed throughout cyberattack

Greater than 5.81 million sufferers tied to PharMerica have been notified that their information was accessed and stolen throughout a March cyberattack. The long-term care pharmacy resolution supplier reported the breach to the Workplace of the Maine Lawyer Basic on Could 12.

On March 14, PharMerica “discovered of suspicious exercise” on its community and labored to safe its methods, whereas launching an investigation with assist from cybersecurity advisors.

The forensics confirmed that menace actors accessed the supplier’s methods for 2 days and exfiltrated affected person information through the dwell time. The stolen information included affected person names, contract info, Social Safety numbers, prescriptions, and medical health insurance info.

Notably lacking from the breach discover to shoppers is that the info was allegedly taken by the Cash Message ransomware group. PharMerica appeared on its information leak web site one month in the past. The actors are a comparatively new menace who beforehand claimed the cyberattack on Taiwanese PC elements maker MSI.

Regardless of Cash Message’s claims, PharMerica’s discover says they “haven’t any motive to imagine that anybody’s info has been misused for the aim of committing fraud or identification theft.”

PharMerica is a Fortune 1000 firm that operates greater than 180 services in all 50 states, and is the biggest single-entity incident reported to this point in 2023, which is on tempo to turn into a record-breaking yr for healthcare safety incidents. The highest eight information breaches have an effect on over 950,000 sufferers every, although three of that are tied to the hack of weak Fortra GoAnywhere MFT cases.

Whereas every of the top 2022 healthcare data breaches final yr affected over 1 million sufferers every, the bulk have been reported towards the top of the yr and none of which reached the numbers seen within the PharMerica and GoAnywhere hacks.

The most important incidents reported by single healthcare entities this yr:

Whereas information breaches could not affect affected person care, they pose one other critical enterprise and monetary danger: legal filings. As confirmed by latest information and BakerHostetler research final yr, incidents impacting greater than 50,000 or extra sufferers more and more result in lawsuits.

NextGen studies hack of workplace system, impacts 1.05M

NextGen Healthcare is reporting a hack of affected person information for the second time this yr. A menace actor gained entry to a “restricted set” of non-public info saved within the NextGen Workplace System, resulting in the entry of information tied to 1.05 million sufferers.

In January, NextGen Health was listed on the BlackCat, or ALPHV, ransomware group’s darkish web site. The actors claimed to have stolen a trove of knowledge from the well being IT vendor. On the time, a spokesperson confirmed to SC Media that they’re “conscious of this declare” and “have been working with main cybersecurity consultants to research and remediate.”

The dates on the latest discover counsel this breach is separate from the sooner incident. NextGen was “alerted to suspicious exercise” on the impacted methods on March 30, prompting the safety crew to include the incident and reset passwords, along with contacting regulation enforcement.

The following investigation discovered a menace actor accessed saved information between March 29 and April 14. The accessed information included affected person names, dates of beginning, Social Safety numbers, and speak to info.

NextGen is continuous to work with regulation enforcement on their investigation, whereas additional reinforcing its methods safety. Nevertheless, a few of the impacted sufferers have already filed at the least seven data-breach lawsuits towards the seller over the incident and affected person privateness impacts.

UBH cyberattack results in entry, information theft for 104K

The well being information of almost 104,000 Uintah Basin Healthcare sufferers was accessed and/or stolen throughout a November 2022 cyberattack.

Found on Nov. 7, UBH labored to safe the community and launched an investigation to find out the scope of the incident. Whereas the incident was discovered six months in the past, the discover suggests UBH didn’t uncover the breach of protected well being info till early April.

The investigation confirmed the info compromise impacted sufferers who obtained care with UBH between March 2012 and November 2022. The stolen information included names, SSNs, dates of beginning, medical health insurance info, and a few scientific information, together with diagnoses, situations, drugs, take a look at outcomes, and procedures.