PharMerica Leaks 5.8M Deceased Users’ PII, Health Information

PharMerica Healthcare has disclosed that its systems were breached earlier this year by an unauthorized third party, which resulted in the leak of the personal details of more than 5.8 million deceased people.

PharMerica provides pharmacy services for patients under long-term care, including those in senior living facilities, hospice care, and using behavior health services.

A copy of a letter disclosing the data theft sent by PharMerica and addressed to the “Administrator/Executor of the Estate of…,” explained the cybersecurity incident occurred from March 12-13, and exposed information including the deceased person’s name address, date of birth, Social Security number, medications, and health insurance details.

PharMerica added that it has conducted a review of the incident and has “taken steps to reduce the risk of this type of incident from occurring in the future, including enhancing our technical security measures.”

NextGen Healthcare similarly disclosed a data breach by a third party days before PharMerica. In NextGen’s case, an unauthorized actor accessed a database with information on more than 1 million people.

Seniors Most at Risk

“This is a devastating data breach both in terms of size and the severity of what was leaked,” Paul Bischoff, consumer privacy advocate at Comparitech, said in a statement in reaction to the PharMerica disclosure.

“The Social Security and health insurance information pose the most immediate threat,” Bischoff added. “They could be used for identity theft and medical benefits fraud, respectively.”

Because the victims are passed, relatives aren’t likely to regularly monitor their credit reports, making any cybercrime related to the stolen data even more difficult to detect and stop, Bischoff explained.

“That puts the onus of responsibility on relatives, who could be on the hook for the deceased’s debts,” Bishoff added. “I suspect this attack disproportionately affects the elderly as well, who are frequently targeted by fraud.”

Chris Hauk, consumer privacy advocate at Pixel Privacy, also urged in a statement those impacted by the PharMerica compromise to stay on alert for accounts and lines of credit opened in a deceased person’s name, as well as phishing attempts using the stolen sensitive data.

“As senior citizens make up a large number of pharmaceutical customers, they and their caretakers will also need to stay alert for phishing attempts,” Hauk added.