Data Breaches at PharMerica, R&B Corporation of Virginia, ASAS Health and Methodist Family Health

More or Less 6 Million People Impacted by PharMerica Data Breach

In April 2023, there was an announcement by the Money Message ransomware group that it had accessed the systems of PharMerica and BrightSpring Health Services, then put the two on its data leak website. The group stated that it had exfiltrated databases that contain 4.7 million terabytes of data which contained the information of over 2 million persons. PharMerica has already determined the magnitude of the data breach.

PharMerica is one of the biggest companies offering pharmaceutical services in America, managing over 2,500 establishments and more than 3,100 pharmacy and healthcare packages. PharMerica and BrightSpring have finished their investigation and have determined that there were unauthorized individuals who accessed sensitive patient data and submitted the data breach report to the Maine Attorney General as impacting 5,815,591 people. Hence, it is the biggest healthcare data breach that a single HIPAA-covered entity reported to date in 2023.

PharMerica mentioned in its notification letters the detection of suspicious activity inside its computer system on March 14, 2023. The company isolated the network and conducted an investigation to find out the nature and extent of the breach. Third-party cybersecurity specialists helped PharMerica confirm that “an unidentified third party” viewed its computer systems from March 12 and March 13, 2023, and that personal information may have been obtained from its systems during that time frame.

By March 21, 2023, PharMerica had determined that the compromised network contained names, addresses, dates of birth, Social Security numbers, medication data, and medical insurance details. PharMerica did not mention any ransomware attack or any exposure of data on the internet. However, the company stated that it believes no information was misused for the reason of carrying out fraudulence or identity theft.

Impacted persons received notifications and offers of free credit monitoring and identity theft protection services for one year. Patients and executors of estates of dead patients were advised to contact their national credit reporting agencies and to make sure the person’s credit file is tagged as ‘deceased – don’t issue credit’, or the credit reporting organization to make a note on the credit record of the patient to inform a person (like a family member/nearest relative) and/or authorities in case an application is created for credit. PharMerica states it has executed extra specialized cybersecurity safety measures to avoid the same incidents later on.

Debt Collection Agency Data Breach Impacts Numerous Healthcare Companies

R&B Corporation of Virginia, also known as Credit Control Corporation (CCC), has lately submitted a data breach report to the Maine Attorney General indicating that 286,699 persons were impacted. CCC is a debt collection company and business associate of a lot of hospitals and physician’s offices. The debt collection company based in Newport News, VA mentioned it discovered suspicious activity inside its computer systems on March 7, 2023. Its IT systems were instantly separated, and a forensic investigation was done to find out the nature and extent of the activity. On or about March 14, 2023, CCC confirmed that unauthorized persons got access to its systems and copied files that contained sensitive information. The attack was confirmed to have happened from March 2, 2023 to March 7, 2023.

The completed preliminary analysis of the exposed files on May 3, 2023 confirmed that the files included data like names, Social Security numbers, and addresses. CCC mailed notifications to affected individuals on May 15, 2023 and offered free credit monitoring services to impacted persons. The company reviews its data security guidelines, procedures, and practices on a regular basis and will keep on doing so, has increased its security measures to boost protection of patient information, and has increased the regularity of employee training about data security.

The breach affected the following healthcare companies:

  • Atlantic Orthopaedic Specialists
  • Bayview Physicians Group
  • Chesapeake Regional Medical Center
  • Chesapeake Radiology
  • Children’s Specialty Group
  • Children’s Hospital of the King’s Daughters Health System and its Affiliates
  • Dominion Pathology Laboratories
  • Emergency Physicians of Tidewater
  • Medical Center Radiology
  • Mary Washington Healthcare
  • Pariser Dermatology Specialists, Inc
  • Sentara Health System
  • Riverside Health System
  • Tidewater Physicians Multispecialty Group
  • Valley Health System
  • UVA Health System
  • VCU Health System

Hacking Incident at ASAS Health

ASAS Health, internal medicine specialists in Edinburg, TX, recently advised 25,527 people concerning a hacking incident that compromised their sensitive protected health information (PHI). It detected suspicious network activity on March 9, 2023, and took immediate action to protect the system. As per the forensic investigation, hackers got access to areas of its network that stored patient data. The breach notifications lacked information about the nature of the data breach or the duration that the hackers got systems access.

ASAS Health stated it cannot definitively establish if patient information was viewed or stolen, however, data compromise is possible. The analysis of the impacted files affirmed they included data like names, birth dates, addresses, telephone numbers, email addresses, Social Security numbers, driver’s license numbers, diagnoses, Medicare ID numbers, disability codes, and health plan provider details.

ASAS Health sent the breach report to the Maine Attorney General and mentioned that it offered credit monitoring services to affected persons. The notification letters sent to the affected individuals also advised them to check their accounts and report suspicious activity and be cautious of phishing attempts and email messages or documents purportedly mailed from ASAS Health. ASAS Health mentioned it will always improve its security practices and keep a strong data security program.

Data Breach at Business Associate Impacts Methodist Family Health

Methodist Family Health based in Little Rock, AR confirmed the exposure of patient information in a security breach that occurred at a business associate. The business associate provided pharmaceutical services and got access to patient records to accomplish the contracted responsibilities. The business associate discovered a security incident on March 6, 2023, and confirmed through investigation the systems access on March 4, 2023.

Methodist Family Health has mentioned that it has already blocked unauthorized access and deployed extra security measures to stop the same incidents later on. The breached documents included data like names, dates of birth, addresses, admission/treatment dates, diagnoses, account numbers,
service charges, and medication details. The company already reported the breach to the HHS’ Office for Civil Rights indicating that 5,259 persons were affected.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at