Cyber Incident Victim: EPIC Pharmacy Network

On August 19, 2021, EPIC Pharmacy Network, a buying group representing over 1,500 independently owned US pharmacies, experienced a phishing attack compromising two employee email accounts. The breach exposed protected health information of 28,776 individuals, including names, birth dates, medical treatment details, and prescription information. While the exact discovery date remains unspecified, forensic investigators concluded their analysis on December 22, 2021, confirming the unauthorized access vector and scope. The organization initiated breach notifications to affected patients on February 8, 2022, adhering to HIPAA's 60-day disclosure mandate following breach confirmation. EPIC Pharmacy Network maintained throughout its communications that no evidence indicated actual misuse or exfiltration of the accessed data during the incident.

In response to the breach, EPIC Pharmacy Network deactivated compromised accounts and collaborated with its information technology managed services providers to implement enhanced security protocols. These measures aimed to prevent recurrence of similar phishing incidents, though specific technical controls were not publicly detailed. The organization emphasized its commitment to information privacy safeguards in public statements and website notices, referencing existing precautions while acknowledging the need for strengthened defenses. No offer of identity protection services was documented in available disclosures, contrasting with other contemporaneous healthcare breaches. Internal policy reviews and operational adjustments were conducted to align cybersecurity practices with evolving threats following forensic findings.