Pharmaceutical services provider PharMerica has disclosed a massive data breach affecting more than 5.8 million patients, exposing their medical data to hackers.

PharMerica is a pharmacy service provider in 50 U.S. states, operating 180 local pharmacies and 70,000 emergency pharmacies, and serving 3,100 medical facilities nationwide.

According to a data breach notification submitted to the Maine Attorney General’s Officehackers hacked into PharMerica’s system on March 12, 2023, stealing the full names, addresses, dates of birth, social security numbers (SSN), medications, and health insurance information of 5,815,591 people.

The company discovered the breach on March 14, 2023, and its investigation determined on March 21 that customer data had been stolen. However, data breach notices were not sent to affected individuals until Friday, May 12, 2023.

PharMerica is offering one year of Identity Protection Fraud Monitoring services through Experian, so it is recommended that those affected take up the offer to minimize the risk and impact of malicious attacks.

Data leaked by hackers

Although PharMerica does not mention the type of hacking incident, the Money Message ransomware gang claimed responsibility for the attack on March 28, 2023, when it began posting stolen data.

Along with PharMerica, threat actors listed BrightSpring, a health service provider that merged with PharMerica in March 2019.

Money Message claimed to have stolen 4.7TB of data in its attack on PharMerica, saying it was at least 1.6 million unique records of personal information.

On April 9, 2023, the timer ran out and the threat actors released what they claim to be all of the stolen data on their extortion site. Unfortunately, the files are still available for download at this time.

To make matters worse, a malicious actor has already posted the entire data dump on a hacking forum clearnet, splitting the file into 13 parts for easier downloading.

Money Message is a new ransomware operation that launched circa March 2023drawing media attention for its infringement against the Taiwanese PC parts manufacturer MSI (Micro-Star International).