Sav-Rx Discloses October 2023 Data Breach After Eight Months, 2.8M Customers Impacted
Sav-Rx, which provides prescription management services to unions, employers, and other organizations, disclosed it was breached in October 2023. The company added that it suffered minimal material disruption and shipped prescriptions without delay. However, Sav-Rx’s delay in publicly notifying customers and authorities of the breach is being questioned.
- Nebraska-based Sav-Rx, which provides prescription management services to unions, employers, and other organizations, disclosed it was breached in October 2023.
- Sav-Rx’s delay in publicly notifying customers and authorities of the breach is being questioned.
This week, prescription management company Sav-Rx disclosed a data breach impacting more than 2.8 million customers. The American company’s disclosure comes almost eight months after the breach occurred in October 2023.
According to Sav-Rx’s breach disclosure with the Maine Attorney General’s office, the data of 2,812,336 customers was leaked in October last year. The company’s breach notification on its website notes that an unauthorized third party could access some non-clinical systems and obtain files containing customers’ personal information.
Sav-Rx said they notified impacted customers via letter and restored services on the next business day after the breach, October 9, 2024. The company added that it suffered minimal material disruption and shipped prescriptions without delay. However, Sav-Rx’s delay in publicly notifying customers and authorities of the breach is being questioned.
Roger Grimes, data-driven defense Evangelist at KnowBe4, told Spiceworks News & Insights, “I don’t think the 8 months it took Sav-Rx to notify impacted customers of the breach is going to fly with anyone, least of all their customers. Today, you’ve got most companies notifying impacted customers in days to a few weeks. 8 months? Whoever decided on that decision is likely to come under some heat and have explaining to do.”
See More: Navigating Data Breaches in Healthcare: The Six Layers to Securing Remote Connectivity
Sav-Rx added that they prioritized minimizing interruption to patient care and only concluded their investigation on April 30, 2024. The investigation revealed that the personal information, including full names, dates of birth, Social Security Numbers, email addresses, physical addresses, phone numbers, eligibility data, and insurance identification numbers of customers, was exposed.
“Delaying initial disclosure of a data breach prevents cyber threat intelligence analysts from contextualizing attacks, and taking action to protect their employees,” Matt Sparrow, senior intelligence operations analyst at Centripetal, told Spiceworks.
“Businesses and organizations worldwide are struggling to keep up with the growing number and speed of data breaches, despite substantial investments in security tools.”
As part of the response, Sav-Rx has implemented a 24×7 security operations center, Microsoft Defender anti-virus and firewall, multi-factor authentication, BitLocker, Zabbix, new firewall and switches, patching cycle implementation, network segmentation, Linux system hardening, enhanced geo-blocking, LAPS installation, SSL certification cycling, website/portal enhancements, and policy and procedure development.
It is unclear who attacked Sav-Rx, although the company’s priority for system uptime indicates ransomware. The company hasn’t provided any further details on the cyberattack.
Sav-Rx is offering customers impacted by the breach credit monitoring and identity theft protection for two years.
MORE ON DATA BREACHES
