The network systems of one of the biggest pharmaceutical companies in the US, called PharMerica, were breached by hackers a couple of months ago. The cybercriminals managed to steal the personal information of nearly 6 million people. The information stolen by the bad actors includes extremely sensitive information. PharMerica has thousands of locations across the US, and the breach affects approximately 2% of the US population.
In a recently issued statement, the pharma company said that in March 2023, they experienced a cyber accident and hired a cyber forensic company to investigate further. The cyber experts determined that the hackers had access to medical and personal information containing millions of Americans’ names, DOB, SSNs, and health insurance. Part of the people affected are already deceased, but this would not stop criminals from committing fraud.
A hacker organization known as Money Message appears to be behind the attack — the ransomware gang claims to have stolen nearly five terabytes of data. There is no evidence that the stolen data has been misused, but the hackers appear to be selling the stolen information on the black market, so fraud attempts will likely follow soon. Money Message is a relatively new ransomware gang with unidentified roots. They took responsibility for another high-profile data breach with PC hardware company MSI earlier this year.
PharMerica has begun notifying its customers about the breach, and multiple law firms have started exploring possible class action lawsuits against the pharmaceutical giant and its parent company. The notice distributed to potential victims includes instructions on protecting themselves against fraud and identity theft. PharMerica also provides complimentary identity protection and credit monitoring services to the affected people.
This is not the first significant attack on healthcare facilities this year. Over the last four months, Southern California’s Regal Medical Group and telehealth startup Cerebral got hit by similar attacks. However, the attack on PharMerica appears to be the largest data breach this year, as the number of victims is almost as big as the combined number of affected users in the Cerebral and Regal Medical Group breaches.
Cyber-attacks on critical infrastructure pose a severe threat to the US. Most of those attacks originate from foreign states whose governments don’t do much to fight cybercriminals. Chinese and Russian hackers often get indicted in the US, the latest being Mikhail Matveev. The US offered a $10 million reward for information leading to his arrest as US intelligence agencies believe he is behind the cyber-attack of the Washington, DC, Police Department in 2021.