PharMerica Reports Breach Affecting Nearly 6 Million PeopleMoney Message Ransomware Group Threatens to Release 1.6 Million Records
Institutional pharmacy PharMerica said the personal data of nearly 6 million current and deceased patients was caught up in a March hacking incident.
In letters sent to 5.8 million individuals, the Kentucky company said hackers obtained names, birthdates and Social Security numbers as well as medications and health insurance information.
The Money Message ransomware group claimed to be the attacker, posting on its dark web leak site multiple spreadsheets the group said contain patient data. It also posted apparent internal business documents including market models and balance sheets.
A 4.7-terabyte database "with 1.6M minimum records of personal data" will "be revealed soon," the group said. The hacking incident would be the largest so far reported this year to federal regulators.
The company's last available quarterly report from 2017, filed shortly after private equity firm KKR bought it for $1.4 billion, described it as the second-largest institutional pharmacy services company in the U.S. based on revenue and customer-licensed beds. KKR has since merged PharMerica with BrightSpring Health Services to form a corporation with approximately $4.5 billion in annual revenue.
PharMerica is telling patients it spotted suspicious network activity on March 14 and that hackers were able to access its systems for two days prior to that.
It is unclear what the ransom demand was and how many databases were accessed by the threat actors. A Money Market spokesperson told databreaches.net that there had been some negotiations, but the sides reached an impasse.
The Money Message ransomware group's activity is fairly new. Researchers from Cyble said it first became apparent in March. The group in April claimed responsibility for an attack against the Taiwanese PC giant Micro-Star International and demanded a $4 million ransom (see: Hackers Leak Private Keys; Many MSI Products at Risk).