The Sav-Rx Data Breach Has Compromised Sensitive Information of Almost 2.8 Million Americans.
Sav-Rx First Noticed the Cybersecurity Incident on October 8, 2023
Sav-Rx, a pharmacy benefit management (PBM) company that provides prescription drug management services disclosed a data breach on May 27, 2024 that impacted 2,812,336 people in the United States.
According to the notification sent to affected individuals, Sav-Rx first identified an interruption to their computer network on October 8, 2023.
“As a result, we immediately took steps to secure our systems and engaged third-party cybersecurity experts,” the notification reads. “Our information technology systems (“IT System”) were restored the next business day, and prescriptions were shipped on time without delay.”
While Sav-Rx was able to restore its systems and resume operations within a day, investigating whether any personal data was stolen took much longer, spanning nearly eight months according to the notification.
Hackers Accessed Customer Data as Early as October 3, 2023
With the help of third-party cybersecurity experts, Sav-Rx’s investigation concluded on April 30, 2024. The probe revealed that unauthorized parties first gained access to customer data stored on certain non-clinical systems as early as October 3, 2023.
“As part of the investigation, we learned that an unauthorized third party was able to access certain non-clinical systems and obtained files that contained personal information,” the notification from Sav-Rx states.
Types of Data Exposed in the Sav-Rx Data Breach
The personal information exposed in the Sav-Rx data breach includes:
- Full name
- Date of birth
- Social Security Number
- Email address
- Physical address
- Phone number
- Eligibility data
- Insurance identification number
Over 2.8 million people had some combination of this sensitive personal data compromised according to the breach notification.
Sav-Rx Sends Notifications and Offers Credit Monitoring
While Sav-Rx prioritized restoring operations over performing a full investigation initially, the company notes it did not rush the investigative process to ensure accuracy. Health plan customers of Sav-Rx were notified between April 30 and May 2, 2024, before the company sent breach notifications to affected individuals in late May 2024.
Sav-Rx is offering all impacted individuals 24 months of free credit monitoring and identity theft protection services. Those affected are also advised to monitor credit reports and financial accounts for any suspicious activity.
Sav-Rx Strengthened Security Measures Following the Data Breach
In response to Sav-Rx data breach, the company has implemented several new security controls and processes. This includes deploying a 24/7 security operations center, enforcing multi-factor authentication, improving network segmentation, upgrading firewalls and switches, enhancing Linux security, and using BitLocker encryption to protect data.
While no evidence currently exists that stolen data from the Sav-Rx breach has been misused, the compromise of names, financial information, medical ids and social security numbers puts the 2.8 million affected Americans at heightened risk of identity theft and fraud.
