One of the largest pharmacy service providers in the United States has confirmed that hackers accessed the personal data of almost six million patients.
PharMerica operates more than 2,500 facilities across the U.S. and offers more than 3,100 pharmacy and healthcare programs.
In a data breach notification filed with Maine’s attorney general, PharMerica said it learned of suspicious activity on its computer network on March 14. An internal investigation revealed that an “unknown third party” accessed its systems days earlier and stole the personal information of 5.8 million current and deceased individuals, including 35,000 patients based in Maine.
In a letter sent to affected patients, the Kentucky-based company said hackers obtained patients’ names, dates of birth, Social Security numbers, medication and health insurance information.
But samples of the leaked data, seen by TechCrunch, suggest the hackers also stole the protected health information of at least 100 patients, including allergy information, Medicare numbers and detailed diagnoses, including details about alcohol, drug and mental health-related illnesses.
This stolen data was published on the dark web leak site of the Money Message ransomware gang, a relatively new operation first observed in March, which took credit for the cyberattack. Money Message claims to have stolen a total of 4.7 terabytes of data from PharMerica and its parent company BrightSpring Health, a home and community-based health service provider.
The same ransomware gang claimed responsibility for the cyberattack on Taiwanese hardware maker Micro-Star International, known as MSI, which compromised reams of data, including the company’s private code-signing keys.
Neither PharMerica nor BrightSpring Health has confirmed that the nature of the incident was ransomware, and BrightSpring Health spokesperson Leigh White did not respond to TechCrunch’s questions.
In a statement posted to its website, PharMerica said it is taking additional steps to help reduce the likelihood of a similar event happening in the future, but did not specify what these steps are.
With almost six million patients affected, the PharMerica incident is the largest breach of healthcare data so far this year. The second largest breach involves Southern California medical firm Regal Medical Group, which confirmed in January that the data of more than 3.3 million patients had been accessed.
Telehealth startup Cerebral, which suffered the third-largest breach, confirmed in March that it shared with advertisers and social media giants the private health information, including mental health assessments, of more than 3.1 million patients in the United States.