U.S. prescription management company Sav-Rx has disclosed that the records of more than 2.8 million customers have been exposed in a data breach that occurred in October last year.

The first indication of the breach was made in a May 24 filing with the Office of the Maine Attorney General, with the company then following up with a frequently asked questions page for its “data security incident.”

According to Sav-Rx, the breach started with the company identifying an interruption to its computer network on Oct. 8, 2023. The company then ticked off the standard response list — securing their systems, hiring third-party cybersecurity experts, informing law enforcement and launching an investigation.

The disruption to information technology services was rectified within one day and patient care did not suffer delays as a result. However, the investigation also found that an authorized third party accessed certain nonclinical systems and obtained files containing information.

Affected customers were those who were in Sav-Rx’s medication benefits management system, but not pharmacy customers. Customers that have been affected are being offered complimentary access to 24 months of credit monitoring.

The form of the breach was not disclosed. Given the scant information provided by the company, it’s hard to say if it was ransomware, but it wouldn’t be surprising if it were: Data theft and systems offline typically point to ransomware.

Hacks are a dime a dozen, but how a company reacts to being hacked and informing its customers are good tests of whether it’s acting in good faith or not. Although Sav-Rx claims that it only got the results of the investigation back on April 30, the hack took place in October and it’s now only now informing customers near the end of May.

“I don’t think the eight months it took Sav-Rx to notify impacted customers of the breach is going to fly with anyone, least of all their customers,” Roger Grimes, data-driven defense evangelist at security awareness training firm KnowBe4 Inc., told SiliconANGLE. “Today, you’ve got most companies notifying impacted customers in days to a few weeks. Eight months? Whoever decided on that decision is likely to come under some heat and have explaining to do.”

Photo: Sav-rx