Fortune 1000 company and pharmacy services provider PharMerica Corp. has been struck by a ransomware attack, with data from 5.8 million patients stolen and published online.

The theft of data was first disclosed in a breach notice filed with the Office of the Maine Attorney General. According to the notice, the breach occurred on March 12 and was not discovered until March 21. Although the company did not disclose the exact form of the attack, it is described in the breach notice as an “external system breach (hacking).”

In a letter sent to those affected by the theft of data, PharMerica claims that the breach was first detected on March 14, which contradicts the date of March 21 in the breach notice. The information stolen included names, addresses, Social Security numbers, medication details and health insurance information.

The company claims in the letter that they have no reason to believe that anyone’s information has been misused to commit fraud or identity theft. That may have been wishing thinking, though, given the ransomware group behind the attack has already published the stolen data.

Bleeping Computer reported today that the Money Message ransomware gang claimed responsibility for the attack on March 28. The group also claims to have breached BrightSpring, a health service provider that merged with PharMerica in 2019. After a ransom payment was not forthcoming by April 9, the cut-off date for payment, the group dumped all the stolen records on a hacking site.

The Money Message ransomware gang is a new group that was first detected in March. The group first came to prominence after claiming responsibility for an attack on Taiwanese hardware manufacturer Micro-Star International Co. Ltd. in April.

“This is a devastating data breach both in terms of size and the severity of what was leaked,” Paul Bischoff, consumer privacy advocate at tech research site Comparitech, told SiliconANGLE. “The Social Security and health insurance information poses the most immediate threat. They could be used for identity theft and medical benefits fraud, respectively.”

Bischoff explained that identity thieves could try to open lines of credit in the names of the deceased, “who obviously aren’t going to check their credit reports. That puts the onus of responsibility on relatives, who could be on the hook for the deceased’s debts. I suspect this attack disproportionately affects the elderly as well, who are frequently targeted by fraud.”

Image: PharMerica