The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Almost 6 Million Individuals Affected by PharMerica Data Breach

In April 2023, the Money Message ransomware group announced it had breached the systems of PharMerica and its parent company, BrightSpring Health Services, and added both to its data leak site. The group claimed to have exfiltrated databases containing 4.7 million terabytes of data which included the records of more than 2 million individuals. PharMerica has now confirmed the extent of the data breach.

PharMerica is one of the largest providers of pharmacy services in the United States, operating more than 2,500 facilities and over 3,100 pharmacy and healthcare programs. PharMerica and BrightSpring have now completed their investigation and have confirmed that there was unauthorized accessing of sensitive patient information and reported the data breach to the Maine Attorney General as affecting 5,815,591 individuals. That makes it the largest healthcare data breach to be reported by a single HIPAA-covered entity so far in 2023.

PharMerica explained in its notification letters that suspicious activity was detected within its computer network on March 14, 2023. The network was isolated, and an investigation was conducted to determine the nature and scope of the intrusion. Assisted by third-party cybersecurity experts, PharMerica determined that “an unknown third party” accessed its computer systems between March 12 and March 13, 2023, and that personal information may have been obtained from its systems during that time frame.

By March 21, 2023, PharMerica had determined that the compromised information included names, addresses, birth dates, Social Security numbers, medication information, and health insurance information. PharMerica made no mention of a ransomware attack nor any publication of data online but did state that “we have no reason to believe that anyone’s information has been misused for the purpose of committing fraud or identity theft.”

Get the FREE
HIPAA Compliance Checklist

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

Affected individuals have been notified and offered complimentary credit monitoring and identity theft protection services for 12 months. Patients and executors of deceased patients’ estates have been advised to contact any one of the three national credit reporting agencies and to ensure the individual’s credit file is marked as ‘deceased – do not issue credit’, or for the credit reporting agency to make a notation on the individual’s credit file to notify an individual (such as a family member/next of kin) and/or law enforcement if an application is made for credit. PharMerica says it has implemented additional technical cybersecurity safeguards to prevent similar incidents in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.


Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist