Prescription management company Sav-Rx is warning over 2.8 million people in the United States that it suffered a data breach, stating that their personal data was stolen in a 2023 cyberattack.
A&A Services, doing business as Sav-RX, is a pharmacy benefit management company that provides prescription drug management services to employers, unions, and other organizations across the U.S. On Friday, the company notified the Maine Attorney General's office of a cybersecurity incident in October 2023 that exposed the data of 2,812,336 people.
The impact on its business operations was kept to a minimum, with no delays in the shipment of medical prescriptions or pharmacy claims.
While their systems were restored in a day, investigating whether personal data was stolen took much longer.
According to the data breach notification, their investigation took almost eight months and was completed on April 30, 2024, with the help of third-party experts.
This investigation revealed that the hackers first accessed customer data on October 3, 2023.
In a FAQ page on its site, Sav-Rx explains that it took them eight months to send out notices of breach to impacted customers because their initial priority was to minimize interruption to patient care before launching an investigation on the impact of the incident.
Sav-Rx also noted that it didn't rush to conclude the investigations, striving for as accurate results as possible.
It says its health plan customers were notified earlier, between April 30 and May 2, 2024.
Sav-Rx then reached an agreement with its business customers to notify impacted individuals, and hence, the letters were circulated late last week.
The company notes that it did not have sufficient contact information to notify some individuals in many cases, so people are urged to confirm if they're affected by calling 888-326-0815.
Among the new security measures Sav-Rx implemented in response to this incident are setting up a 24/7 security operations center, implementing multi-factor authentication on critical accounts, network segmentation, enhanced geo-blocking, upgraded firewalls and switches, strengthened Linux security, and BitLocker encryption.
Though the firm currently has no evidence that the stolen information was misused or disseminated on the dark web, it enclosed instructions in the letters on enrolling in a two-year credit monitoring and identity theft protection service.
As the stolen data contains sensitive information that can be used for identity theft, it is strongly advised that those impacted monitor their credit reports for fraudulent activity.
Cencora data breach exposes US patient info from 11 drug companies.
WebTPA data breach impacts 2.4 million insurance policyholders.
MediSecure e-script firm hit by 'large-scale' ransomware data breach.
Kaiser Permanente: Data breach may impact 13.4 million patients.
SEC: Financial orgs have 30 days to send data breach notifications.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 27 May 2024 14:50:04 +0000