Money Message Ransomware Group Leaks BrightSpring Health Services & PharMerica Data

The Money Message ransomware group has recently listed the Kentucky-based pharmacy network, PharMerica, and its parent company, BrightSpring Health Services, on its data leak site and claims to have stolen more than 2 million records in an attack on March 28, 2023. The stolen data includes patient names, birth dates, and Social Security numbers.

BrightSpring Health Services has confirmed that it is investigating a cybersecurity incident and has engaged third-party cybersecurity experts to assist with the investigation. BrightSpring said the attack did not affect its operations. At this stage of the investigation, it has not been determined how many individuals have been affected or the extent to which patient data was involved. The affected files are currently being reviewed and notification letters will be issued as quickly as possible.

Sarah D. Culbertson Memorial Hospital Confirms Systems Restored After Cyberattack

Sarah D. Culbertson Memorial Hospital in Rushville, IL, has confirmed that it has fully restored its IT systems following a March 2023 cyberattack.  The hospital experienced disruption to its network on March 30, 2023. Systems were shut down to contain the attack and third-party cybersecurity experts were engaged to investigate the attack and determine the extent to which patient data was involved.

While access to the majority of its IT systems was prevented during the attack and breach response, the hospital confirmed that its ED services have been operational throughout and patient care was unaffected. Notifications will be issued to affected individuals if patient data is determined to have been compromised in the attack.

Mailing Error Affects More than 15,000 St. Luke’s Health System Patients

St. Luke’s Health System has notified 15,246 patients about an accidental disclosure of some of their protected health information. A technical error with a mailing resulted in letters being sent to incorrect mailing addresses. The letters that were sent to incorrect patients included the guarantor’s name, guarantor number, patient’s name, date of service, encounter-specific account number, outstanding balance, and balance status. St. Luke’s Health System said the accounts were not in collections and are not accountable for the balances.

The error was identified and corrected, and additional safeguards have now been implemented to identify similar errors before letters are mailed. As a precaution against misuse of data, the accounts of affected individuals have been reset to provide additional time to resolve balances, and affected individuals have been offered complimentary identity theft protection services for 12 months.

The post Cyberattacks Affect BrightSpring Health Services, PharMerica, & Sarah D. Culbertson Memorial Hospital appeared first on HIPAA Journal.