Cyber Incident Victim: AllCare Plus Pharmacy

AllCare Plus Pharmacy, based in Massachusetts, experienced a data breach involving unauthorized access to employee email accounts following a phishing attack discovered on June 21, 2022. The organization identified suspicious phishing emails circulating among certain employees and immediately removed those emails from its systems. An investigation involving external experts confirmed that unauthorized access to portions of several employee email accounts had occurred on April 14, 2022. This breach potentially exposed protected health information (PHI) of 5,971 patients, as reported to the Maine Attorney General. The compromised data included names, addresses, dates of birth, Social Security numbers, and certain health information. AllCare stated it found no evidence that patient data had been misused for fraudulent purposes or made publicly available following the incident. The organization emphasized no signs of ongoing unauthorized activity but continued monitoring the situation.

In response to the breach, AllCare implemented additional security measures, internal controls, and safeguards to strengthen its defenses. The pharmacy offered affected individuals 24 months of complimentary identity theft protection services. Notification letters were sent to potentially impacted patients, though AllCare reiterated that the investigation did not substantiate any actual misuse of the exposed information. The breach timeline spanned from the April 14 intrusion to its detection on June 21, with containment actions including email system remediation and forensic analysis. No specific technical details about the phishing mechanism or attacker origins were disclosed publicly. The incident highlighted risks associated with email-based threats targeting healthcare entities handling sensitive patient data.