UPDATED 19:37 EST / MAY 28 2024

SECURITY

2.8M+ records exposed in data breach at prescription management company Sav-Rx

U.S. prescription management company Sav-Rx has disclosed that the records of more than 2.8 million customers have been exposed in a data breach that occurred in October last year.

The first indication of the breach was made in a May 24 filing with the Office of the Maine Attorney General, with the company then following up with a frequently asked questions page for its “data security incident.”

According to Sav-Rx, the breach started with the company identifying an interruption to its computer network on Oct. 8, 2023. The company then ticked off the standard response list — securing their systems, hiring third-party cybersecurity experts, informing law enforcement and launching an investigation.

The disruption to information technology services was rectified within one day and patient care did not suffer delays as a result. However, the investigation also found that an authorized third party accessed certain nonclinical systems and obtained files containing information.

Affected customers were those who were in Sav-Rx’s medication benefits management system, but not pharmacy customers. Customers that have been affected are being offered complimentary access to 24 months of credit monitoring.

The form of the breach was not disclosed. Given the scant information provided by the company, it’s hard to say if it was ransomware, but it wouldn’t be surprising if it were: Data theft and systems offline typically point to ransomware.

Hacks are a dime a dozen, but how a company reacts to being hacked and informing its customers are good tests of whether it’s acting in good faith or not. Although Sav-Rx claims that it only got the results of the investigation back on April 30, the hack took place in October and it’s now only now informing customers near the end of May.

“I don’t think the eight months it took Sav-Rx to notify impacted customers of the breach is going to fly with anyone, least of all their customers,” Roger Grimes, data-driven defense evangelist at security awareness training firm KnowBe4 Inc., told SiliconANGLE. “Today, you’ve got most companies notifying impacted customers in days to a few weeks. Eight months? Whoever decided on that decision is likely to come under some heat and have explaining to do.”

Photo: Sav-rx

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU