Customer in pharmacy holding medicine bottle showing data breach at prescription management company

Prescription Management Company Sav-Rx’s Data Breach Impacts 2.8 Million Patients

Prescription management provider Sav-Rx is notifying 2.8 million individuals of a data breach impacting their personal information after an unauthorized party accessed certain non-clinical systems.

According to data breach notices sent to impacted individuals, Sav-Rx experienced network interruption on October 8, 2023.

Sav-Rx responded by shutting down impacted systems and engaging third-party cybersecurity experts to contain the incident. Further assessment discovered data exfiltration of sensitive information.

Prescription management provider Sav-Rx’s data breach leaked PHI

The Fremont, Nebraska-based company restored the impacted systems the next day, limiting disruptions to its clinical operations.

Subsequently, the cyber attack did not disrupt patient care and only impacted medication benefits, but not the pharmacy management system. Thus, pharmacy network chains dependent on the Sav-Rx prescription management systems unaffected by the cyber attack.

“The incident did not affect our pharmacy systems, including those systems related to our mail order pharmacy,” the company said.

Following an extensive review of impacted systems that concluded on April 30, 2024, Sav-Rx determined that the unauthorized intruder obtained some files containing unspecified protected health information.

“After an extensive review with third-party experts, on April 30, 2024, we discovered that some of the data accessed or acquired by the unauthorized third party may have contained your protected health information,” the individual notification letters stated.

The investigation also determined that the attacker gained initial access on or around October 3, 2023, five days before the prescription management company detected unauthorized activity.

According to a security incident alert filed with the Office of the Maine Attorney General, the Sav-Rx data breach impacted 2,812,336 people, including 5,935 Maine residents.

However, Sav-Rx said, “not all customers were impacted, and not all health plan participants were impacted.”

Based on its assessment, Sav-Rx determined the data breach leaked the victims’ full names, dates of birth, phone numbers, email addresses, insurance ID numbers, eligibility information, Social Security Numbers, and other personal identifiers.

Although Sav-Rx has shared considerable details regarding the cyber attack, its nature remains enshrouded in mystery, but it bears the hallmarks of a botched ransomware attack.

Meanwhile, Sav-Rx is offering 24 months of credit monitoring and identity theft restoration via Equifax and advised customers to monitor their credit and financial reports for suspicious activity.

The prescription management platform is also working with third-party cybersecurity experts to ensure the stolen data is destroyed and not shared with other parties, suggesting that a ransom was paid.

However, the prescription management company has not disclosed receiving any ransom demands, and no hacking group has publicly taken credit for the Sav-Rx data breach.

Sav-Rx has also notified law enforcement and taken additional steps to secure its systems, and conduct security awareness training to prevent a similar data breach in the future.

“Sav-Rx’s response, including the establishment of a 24/7 security operations center and implementation of multi-factor authentication, network segmentation, and advanced encryption, is commendable,” said BullWall Executive, Carol Volk.

However, she noted that cybersecurity, including ransomware containment, should be proactive and not reactive.

“The healthcare sector must prioritize cybersecurity investments and adopt proactive strategies to protect patient data and critical infrastructure. The Sav-Rx breach emphasizes the importance of preparedness and the need for continuous vigilance to safeguard against future attacks,” added Volk.

Long delay in data breach notification

Although the Sav-Rx data breach will not likely have any material impact on the company, the prescription management provider faces a potential lawsuit for allegedly failing to protect its customers’ sensitive information.

Additionally, the 8-month delay in notifying individual victims casts the Sav-Rx in a bad light. However, the prescription management company explained that it prioritized minimizing disruptions and patient care before launching investigations.

“I don’t think the 8 months it took Sav-Rx to notify impacted customers of the breach is going to fly with anyone, least of all their customers,” noted Roger Grimes, Data-Driven Defense Evangelist at KnowBe4. “Today, you’ve got most companies notifying impacted customers in days to a few weeks. 8 months? Whoever decided on that decision is likely to come under some heat and have explaining to do.”

According to Matt Sparrow, Senior Intelligence Operations Analyst at Centripetal, “delaying initial disclosure of a data breach prevents cyber threat intelligence analysts from contextualizing attacks, and taking action to protect their employees.”

However, Volk opined that the delayed notification “reflects the challenges organizations face in balancing immediate operational needs with comprehensive incident response.”

Sav-Rx claims that health plan organizations received notifications much earlier, between April 30 and May 2, 2024, while individual customers were notified on May 24, 2024.

Worse still, the prescription management company has warned that some data breach victims could miss the notifications due to missing contact information. Subsequently, individual customers should contact Sav-Rx customer service to confirm if the October 2023 data breach exposed their personal information.