PharMerica Healthcare has reported that their systems were hacked earlier this year resulting in the leak of the personal data of more than 5.8 million deceased individuals. The pharmaceutical firm offers pharmacy services to patients under long-term care, including seniors in living facilities, behavior health facilities, and those under hospice care.
PharMerica confirmed that the breach occurred in mid-March this year and resulted in the exposure of personal data, including the deceased person’s name, address, date of birth, Social Security number, medication, and health insurance details. The firm has since conducted a thorough review of the cybersecurity incident and has enhanced its technical security measures to prevent a similar occurrence in the future.
NextGen Healthcare, a similar service provider for healthcare services, reported a data breach by a third party, days before PharMerica’s disclosure. In NextGen’s case, more than a million people’s data was compromised when an unauthorized actor accessed their database.
“This is a severe breach in terms of both size and severity of what was leaked,” Paul Bischoff, a consumer privacy advocate at Comparitech, said in a statement regarding the PharMerica breach. He added that the Social Security and health insurance information poses an immediate threat of identity theft and medical benefits fraud. It is likely to be difficult to detect and stop any cybercrime related to the stolen data because the victims are deceased, and their relatives do not check their credit reports regularly.
The responsibility of monitoring the credit reports of the deceased now falls on surviving relatives, who could be held accountable to settle the deceased’s debts. Bischoff believes that the attack disproportionately affects seniors who are frequently targeted by fraudsters.
Chris Hauk, a consumer privacy advocate at Pixel Privacy, urged those impacted by the PharMerica compromise to stay alert for accounts and lines of credit opened in a deceased person’s name, phishing attempts, and various other fraudulent activities. He also noted that senior citizens make up a significant proportion of pharmaceutical customers, and as a result, their caretakers will have to pay close attention to any phishing attempts or other suspicious activities.
Several states have laws that require companies to notify individuals whose data has been breached or misused. In the case of the PharMerica breach, the firm sent out letters to the “Administrator/Executor of the Estate of…” to notify them of the incident. However, it is unclear whether the firm has notified the relevant authorities and regulators about the breach.
PharMerica has since advised relatives and affected persons to take the necessary precautions to safeguard their financial and personal data. The firm also recommended that they enroll in an identity theft protection service to help monitor any fraudulent activities with their details.
PharMerica and NextGen are not the only healthcare service providers that have suffered data breaches in recent years; both Anthem and Premera Blue Cross have also experienced large-scale data breaches. Thus, it is crucial for healthcare providers to enforce strict cybersecurity controls and ensure they can safeguard sensitive personal information from unauthorized persons.