2.8 Million Individuals Affected by Sav-Rx Data Breach

Medication Benefit Management solutions provider to health plans, A&A Services based in Fremont, Nebraska, also known as Sav-Rx, encountered a cyberattack on October 8, 2023. It was confirmed that the Sav-Rx data breach affected the protected health information (PHI) of 2,812,336 people.

A security breach was discovered because of a computer system interruption. Steps were undertaken to protect those systems from further unauthorized access. Third-party cybersecurity specialists helped to control the incident and looked into the reason for the disruption. Sav-Rx restored its systems the next day without any trouble to patient health care, prescriptions were sent with no delay. Because its adjudication program was not affected, network pharmacy chains experienced no issues. According to the investigation, an unauthorized third party accessed its systems on October 3, 2024.

Although the incident was resolved immediately, the investigation showed that the threat actor responsible for the attack could access a non-clinical database and extract files that contained PHI. Sav-Rx did not mention any ransom demand; nevertheless, it mentioned that the stolen data acquired from the IT network was destroyed and no longer exposed. The statement indicates that the attacker issued a ransom demand, and Sav-Rx paid the ransom.

The analysis of the impacted files showed they included PHI necessary for availing the medication benefits management services that Sav-Rx offers to health plans. The impacted persons were members of health plans or present or past workers. Sav-Rx stated its pharmacy programs were not affected and not all health plan clients/members had their information compromised in the attack.

Sav-Rx explained in its breach notifications the reason for the delay in providing notifications. A technological investigation was prioritized to offer impacted people accurate details. As soon as the investigation results were received on April 30, 2024, notifications were sent to affected health plan customers within 48 hours. Sav-Rx offered to send breach notifications to the impacted health plan clients and already did.

The data compromised in the attack contained names, addresses, telephone numbers, birth dates, email addresses, Social Security numbers, eligibility information, and insurance ID numbers. The attack did not affect financial data. The impacted persons received free identity theft protection and credit monitoring services.

Sav-Rx additionally explained at length the HIPAA compliance steps undertaken since the incident to strengthen security and stop the occurrences later. Those steps include improving features like:

  • 24-hour a day security operations center
  • Multi-factor authentication
  • Microsoft Defender anti-virus and firewall
  • BitLocker
  • New firewall and switches
  • Improved geo-blocking
  • Network segmentation
  • Linux system enhancement
  • LAPS installation
  • Patching cycle implementation
  • SSL certification cycling
  • Policy and procedure enhancement
  • Website innovations
  • Zabbix

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA