Menu
Browse

Cyber Incident Victim: PharMerica

Date:

Mar 2023

Location:

United States of America

Summary

A ransomware attack targeted PharMerica and its parent company, BrightSpring Health Services, resulting in the theft of sensitive patient data including names, Social Security numbers, dates of birth, addresses, medications, and health insurance information. The incident involved unauthorized network access by the Money Message ransomware group, which subsequently leaked stolen data publicly, with reports indicating impacts ranging from hundreds of thousands to millions of individuals. The parent company engaged cybersecurity experts, confirmed operational continuity, and offered identity protection services to affected patients, while the attackers claimed exfiltration of terabytes of data and disseminated it on hacking forums.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 3 motives 2 techniques
Threat Actor Type Location
1 actor Available to members Available to members

Description

In March 2023, PharMerica, a Kentucky-based pharmacy network operating in all 50 U.S. states, and its parent company BrightSpring Health Services experienced a cybersecurity incident involving unauthorized network access by the Money Message ransomware group. The intrusion occurred between March 12 and March 13, 2023, with detection occurring on March 14, 2023. BrightSpring engaged third-party cybersecurity experts to investigate and confirmed that attackers accessed sensitive patient information including full names, Social Security numbers, addresses, dates of birth, medication details, and health insurance information. While BrightSpring reported the breach affected 535,203 individuals in its Maine Attorney General filing, PharMerica's separate notification disclosed a significantly larger impact of 5,815,591 patients. The parent company maintained that operational systems remained unaffected during the incident. Notification letters to affected individuals were delayed, with PharMerica issuing alerts nearly two months post-discovery on May 12, 2023. Both entities offered mitigation measures including one year of complimentary identity protection services through Experian and credit monitoring.

Cyber Incident Image

The Money Message ransomware group, which emerged in March 2023, publicly claimed responsibility on March 28 by listing both organizations on its data leak site. The group asserted theft of over 2 million records from BrightSpring and 4.7 terabytes of data from PharMerica, equivalent to approximately 1.6 million unique records. On April 9, 2023, following the expiration of their extortion deadline, the attackers published the entirety of the stolen PharMerica data on their platform. Subsequent dissemination occurred via a clearnet hacking forum where threat actors partitioned the dataset into 13 downloadable archives. The exposed information included highly sensitive patient healthcare data, significantly increasing risks of identity theft and medical fraud. BrightSpring completed breach notifications by late March 2023, while PharMerica's delayed disclosure timeline extended into mid-May. Neither organization confirmed whether ransom demands were paid or detailed specific containment measures beyond network access termination and forensic investigations. The incident represented one of the largest healthcare data breaches of 2023 based on affected individuals.

Sources
Sources available to members
3 sources