Cyber Incident Victim: BrightSpring Health Services
Date:
Mar 2023
Location:
United States of America
Summary
PharMerica experienced a ransomware attack by the Money Message group, compromising millions of patients' personal and medical data including names, Social Security numbers, dates of birth, addresses, medications, and health insurance details. The intrusion involved unauthorized network access over two days, with subsequent data theft confirmed after detection. BrightSpring Health Services, its parent company, reported a related breach affecting hundreds of thousands. Attackers leaked terabytes of stolen records on their extortion site and a public forum, claiming possession of over a million unique files. The company engaged cybersecurity experts, notified authorities, and offered identity protection services to impacted individuals. Systems were restored without operational disruption during investigation and response efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 12, 2023, unauthorized actors gained access to the network of PharMerica, a Kentucky-based pharmacy network operating across 50 states with 180 local pharmacies and services to 3,100 medical facilities. The intrusion was detected on March 14, 2023, during which investigators confirmed the threat actors maintained access until March 13. Parent company BrightSpring Health Services engaged third-party cybersecurity experts to investigate the incident and determined that sensitive personal data had been exfiltrated. Analysis revealed compromised data included full names, Social Security numbers, birth dates, addresses, medication histories, and health insurance information. The Money Message ransomware group claimed responsibility for the attack, listing both PharMerica and BrightSpring on its data leak site on March 28 and asserting it stole over 2 million records initially. Subsequent forensic analysis identified a substantially larger impact, with PharMerica’s May 12 notification to affected parties disclosing a breach impacting 5,815,591 individuals—a figure reported to the Maine Attorney General alongside a separate BrightSpring filing attributing the same attack to 535,203 affected individuals. The ransomware group published 4.7 terabytes of allegedly stolen data on April 9, which included 1.6 million unique records and was later redistributed in segmented files on a public hacking forum.
The attack disrupted internal systems but did not halt PharMerica’s operational services. BrightSpring confirmed no operational interruptions beyond the data compromise. PharMerica initiated breach notifications on May 12, nearly two months post-discovery, offering one year of Experian identity theft protection and fraud monitoring to victims. The delayed disclosure timeline included confirmation of data theft by March 21, though public reporting lagged by eight weeks. Regulatory notifications were filed with Maine and the U.S. Department of Health and Human Services’ Office for Civil Rights. Concurrently, the Money Message group targeted other entities, including Taiwanese manufacturer MSI, during its emergence in early 2023. The PharMerica incident exposed vulnerabilities in safeguarding large-scale patient data repositories, with confirmed impacts spanning financial, medical, and identificatory information. No ransomware deployment or encryption was explicitly referenced in disclosures, focusing instead on data theft and extortion tactics. The published datasets remained publicly accessible as of the latest reports, amplifying risks of identity fraud and medical privacy violations for millions of patients.