Cyber Incident Victim: Injured Workers Pharmacy

The incident at Injured Workers Pharmacy began with unauthorized access to employee email accounts, first detected on or around May 11, 2021, when suspicious activity was observed in one account. Immediate action was taken to secure the compromised account, and third-party computer forensics experts were engaged to investigate the breach. Forensic analysis revealed that seven distinct email accounts had been accessed without authorization between January 16, 2021, and May 12, 2021, indicating a prolonged period of potential exposure. The organization subsequently engaged specialized data review teams to examine the contents of these email accounts and their attachments. This examination confirmed the presence of protected health information belonging to 75,771 individuals within the compromised communications. Exposed data elements included full names, physical addresses, and Social Security numbers—categories of information that collectively create significant identity theft risks.

Following the forensic investigation, Injured Workers Pharmacy initiated a validation process to verify the accuracy of the exposed data inventory. This verification was completed on or around December 14, 2021, establishing the final scope of impacted individuals. Notification letters began distribution to affected parties on February 3, 2022—approximately nine months after initial detection and two months after validation concluded. In response to the breach, the pharmacy implemented augmented email security protocols, though specific technical enhancements were not detailed in public reporting. The organization offered complimentary credit monitoring and identity restoration services to certain affected individuals, with eligibility likely tied to exposure severity of sensitive identifiers like Social Security numbers. The incident's primary operational impact centered on email system integrity, with no indication of compromise to broader medical systems or prescription management platforms. Financial consequences included forensic investigation costs, notification expenses, and service provisions for impacted individuals, while reputational damage stemmed from exposure of sensitive claimant data tied to workers' compensation cases.