PharMerica Healthcare has stated that an unauthorized third party broke into its networks early this year, causing the disclosure of more than 5.8 million deceased people’s personal information. PharMerica offers pharmaceutical services for individuals receiving long-term care, such as those in nursing homes, hospice care, and needing behavioral health treatments.
The cybersecurity incident occurred from March 12–13, per a copy of PharMerica’s letter to the “Administrator/Executor of the Estate of…,” informing them of the data theft. The letter detailed how the deceased person’s name, address, date of birth, Social Security number, prescriptions, and health insurance information were exposed. In addition, PharMerica said it has reviewed the event and “taken steps to reduce the risk of this type of incident from occurring in the future, including enhancing our technical security measures.”
Days before PharMerica, NextGen Healthcare also made public a third-party data breach. In the case of NextGen, an uninvited party gained access to a database containing data on more than 1 million people. In response to the PharMerica announcement, Paul Bischoff, consumer privacy advocate at Comparitech, issued a statement describing this data breach as catastrophic in terms of its scope and the gravity of the sensitive information.
According to Bischoff, Social Security and health insurance information is the greatest threat. This is because they could be employed for fraud involving medical benefits and theft of identities, respectively. In addition, since the victims are deceased, family members are unlikely to routinely check their credit reports, making it harder to identify and thwart any criminality involving the stolen data.
“That puts the onus of responsibility on relatives, who could be on the hook for the deceased’s debts,” Bishoff added. “I suspect this attack disproportionately affects the elderly as well, who are frequently targeted by fraud.”
In a statement, Chris Hauk, a consumer privacy advocate at Pixel Privacy, warned anyone affected by the PharMerica incident to be vigilant for accounts and lines of credit issued in a deceased person’s name as well as phishing efforts exploiting the sensitive data that was taken. In addition, seniors, who make up a sizable portion of pharmaceutical clients, will also need to be on the lookout for phishing efforts, noted Hauk.