Breach Notification , Fraud Management & Cybercrime , Healthcare

Rx Benefits Firm Notifying 2.8 Million of Data Theft Hack

The Breach Notice Raises the Question of Whether Sav-Rx Paid a Ransom
Rx Benefits Firm Notifying 2.8 Million of Data Theft Hack
Image: Sav-Rx

A Nebraska firm that provides medication benefits management and pharmacy services is notifying more than 2.8 million individuals of an October 2023 hacking incident involving the potential theft of their personal information, including Social Security numbers.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

A&S Services, which is based in Fremont, Nebraska, and does business as Sav-Rx, said it first became aware of the incident on Sunday Oct. 8, 2023, when it identified an interruption to its computer network.

The company said it took immediate steps to secure its network with the assistance of third-party cybersecurity experts and reported the incident promptly to law enforcement.

"We were able to restore our IT systems the next business day. The disruption to our IT systems did not result in any material disruption to participant care," Sav-Rx said. "Prescriptions were shipped on time without delay. Our adjudication system was not affected, so network pharmacy claims adjudicated continuously without impact or delay."

The data compromised in the incident includes information Sav-Rx maintains to provide medication benefit management services to individuals' current or former health plans, the company said.

Information potentially accessed or acquired by attackers includes name, birthdate, Social Security number, email address, address, phone number, eligibility data and insurance identification number.

"We contained the incident and confirmed that any data acquired from our IT system was destroyed and has not been disseminated any further," Sav-Rx said about the incident in the notice posted on its website.

Sav-Rx did not immediately respond to Information Security Media Group's requests for additional details and clarification, including whether the company paid a ransom to hackers in exchange fora promise by the cybercriminals to "destroy" and not further "disseminate" data exfiltrated in the incident.

"I'm not sure what Sav-Rx means when it says it confirmed that any stolen data was destroyed and not disseminated any further," said Brett Callow, a threat analyst at security firm Emsisoft.

"If the company is referring to the pinkie promise that the criminals provide when a ransom is paid, that doesn't really count as confirmation," he said. "Companies should be clear on points such as this so that people understand what risk they may be at and aren't lulled into a false sense of security."

Dave Bailey, vice president of security services at consulting firm Clearwater, said he suspects Sav-Rx paid a ransom.

"The statement by Sav-RX is consistent with an organization that has negotiated with and paid a threat actor to destroy data," he said. "Unless there was a 'change of heart' by the bad actor, they would only confirm data 'destruction' and no further dissemination with payment," he said.

Overall, the outcome of minimal IT disruption was positive for Sav-RX, Bailey said. But the fast restoration raises the question of whether a ransom was paid.

"I would consider it lucky if the reason for their minimal disruption was solely due to paying the ransom and using the keys to get the data back," he said.

"It is important to have effective response and recovery plans and valid data backups to ensure recovery from an attack with minimal impacts. Having to rely upon a cybercriminal to get your business back up and running is risky."

Sav-Rx said it that while it is currently unaware of any third parties using the compromised data, the company is offering affected individuals 24 months of complimentary identity and credit monitoring.

Lengthy Breach Analysis

Although Sav-Rx said it quickly secured its systems, the investigation to determine the individuals affected as well as the specific elements of each individual's personal information affected by the incident took months, the company said.

"We prioritized this technological investigation to be able to provide affected individuals with as much accurate information as possible. We received the results of that investigation on April 30, and we promptly sent notifications to our health plan customers whose participant data was affected within 48 hours," Sav-Rx said.

In a report filed to Maine's attorney general on Friday, Sav-Rx said the incident affected more than 2.81 million individuals, including nearly 6,000 Maine residents.

As of Wednesday, the Sav-Rx incident did not yet appear on the U.S. Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals. But once the Sav-Rx hacking incident is added to that site, it will potentially rank among the five largest health data breaches reported to regulators so far this year.

The Sav-Rx incident is also the latest major health data breach involving a third-party provider of crucial services in the healthcare sector.

As in the recent cyberattack on UnitedHealth Group's Change Healthcare IT services and products unit, hacking incidents targeted at critical vendors that handle data for scores of healthcare sector clients have the potential to affect millions of patients' protected health information (see: 100 Groups Urge Feds to Put UHG on Hook for Breach Notices).

"These incidents highlight the need to implement reasonable and effective cybersecurity practices that can minimize the impact of cyberattacks," Bailey said.

"Organizations should align their security programs to recognized frameworks like the NIST Cybersecurity Framework and implement the cybersecurity practices as outlined in the 405(d) Health Industry Cybersecurity Practices," he said (see: HSCC Issues Cyber 'Call to Action' Plan for Health Sector).

"The recommendations on what to do to minimize your risk are available today. It's time to go implement and remediate."

Sav-Rx said it has taken steps to bolster its security protocols and controls, technology, policies and training in the aftermath of its hacking incident.

"We took a number of detailed and immediate mitigation measures, including enhancing a number of features such as: 24/7 security operations center, Microsoft Defender antivirus and firewall, multifactor authentication, BitLocker, Zabbix, new firewall and switches, patching cycle implementation, network segmentation, Linux system hardening, enhanced geo-blocking, LAPS installation, SSL certification cycling, website/portal enhancements, and policy and procedure development," the company said.

"We continue to analyze additional opportunities for enhancing our security posture."

Sav-Rx, which was founded more than 50 years ago as a retail pharmacy and is a family-owned business, said on its website that it serves more than 1,000 clients. In addition to its medication benefits management services, the company operates a wholly owned network of over 74,000 retail pharmacies across the U.S. and a mail-order prescription pharmacy.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.