Absolutely don’t rush Sav-Rx. Take your time. No need to notify customers that the company database has been hacked, until you are good and ready. Why hurry to share that the names, dates of birth, social security numbers, email addresses, mailing addresses, phone numbers, eligibility data, and insurance identification numbers of potentially 2,812,336 people were compromised back in October of 2023? What’s eight months for a fraudster? Besides everything?
Sav-Rx is a company that provides prescription drug benefit services to various organizations such as unions, employers, and health plans. On May 24,2024, Sav-Rx notified the Maine Attorney General’s office of a cybersecurity incident that occurred eight months prior which exposed the data of 2,812,336 people. Sav-Rx did jump into action. It’s just that protecting their clients’ identities wasn’t on the top of the list. Sav-Rx’s first reaction was to secure its systems and make sure it restores operations as quickly as possible. In a FAQ page on its site, Sav-Rx explains that it took them eight months to send out notices of breach to impacted customers because their initial priority was to minimize interruption to patient care before launching an investigation on the impact of the incident. They did it for the customer, not the Board of Directors? Business resumed as usual the next day, and prescriptions were shipped on time and without delay. Twenty-four hours after the hack, it looks like everyone took a nap.
Eight months later, Sav-Rx concluded that the hackers stole its customers’ sensitive data. Sav-Rx is quick to pat themselves on the back claiming that clinical data was not accessed. Hold the applause. Because the type of information stolen here is more than enough for any hacking group to use in identity theft, phishing, or social engineering attacks.
Shout out to Maine who shared this information as quickly as possible, despite Sav-Rx sitting on it for so long.
Today’s Fraud of The Day is based on article “Millions of US customers have social security numbers stolen in major Sav-Rx data breach” published by Tech Radar, May 28, 2024.
The hackers that hit Sav-Rx late in 2023 made away with sensitive data on more than 2.8 million people in the United States, the company has confirmed in a filing with the Maine Attorney General.
Sav-Rx is a pharmacy benefit manager (PBM), a company that provides prescription drug benefit services to various organizations such as unions, employers, and health plans. Its work includes the management and facilitation of prescription medication delivery, negotiations with drug manufacturers and pharmacies regarding prices, and more.