Prescription management company Sav-Rx is warning over 2.8 million people in the United States that it suffered a data breach, stating that their personal data was stolen in a 2023 cyberattack.

A&A Services, doing business as Sav-RX, is a pharmacy benefit management (PBM) company that provides prescription drug management services to employers, unions, and other organizations across the U.S.

On Friday, the company notified the Maine Attorney General’s office of a cybersecurity incident in October 2023 that exposed the data of 2,812,336 people.

“On October 8, 2023, we identified an interruption to our computer network. As a result, we immediately took steps to secure our systems and engaged third-party cybersecurity experts,” reads the notification sent to impacted individuals. 

“Our information technology systems (“IT System”) were restored the next business day, and prescriptions were shipped on time without delay.”

The impact on its business operations was kept to a minimum, with no delays in the shipment of medical prescriptions or pharmacy claims.

While their systems were restored in a day, investigating whether personal data was stolen took much longer.

According to the data breach notification, their investigation took almost eight months and was completed on April 30, 2024, with the help of third-party experts.

This investigation revealed that the hackers first accessed customer data on October 3, 2023.

“As part of the investigation, we learned that an unauthorized third party was able to access certain non-clinical systems and obtained files that contained personal information,” informs Sav-Rx.

The types of data exposed in this incident include:

  • Full name
  • Date of birth
  • Social Security Number (SSN)
  • Email address
  • Physical address
  • Phone number
  • Eligibility data
  • Insurance identification number

In a FAQ page on its site, Sav-Rx explains that it took them eight months to send out notices of breach to impacted customers because their initial priority was to minimize interruption to patient care before launching an investigation on the impact of the incident.

Sav-Rx also noted that it didn’t rush to conclude the investigations, striving for as accurate results as possible. It says its health plan customers (impacted organizations) were notified earlier, between April 30 and May 2, 2024.

Sav-Rx then reached an agreement with its business customers to notify impacted individuals, and hence, the letters were circulated late last week.

The company notes that it did not have sufficient contact information to notify some individuals in many cases, so people are urged to confirm if they’re affected by calling 888-326-0815.

Among the new security measures Sav-Rx implemented in response to this incident are setting up a 24/7 security operations center, implementing multi-factor authentication on critical accounts, network segmentation, enhanced geo-blocking, upgraded firewalls and switches, strengthened Linux security, and BitLocker encryption.

Though the firm currently has no evidence that the stolen information was misused or disseminated on the dark web, it enclosed instructions in the letters on enrolling in a two-year credit monitoring and identity theft protection service.

As the stolen data contains sensitive information that can be used for identity theft, it is strongly advised that those impacted monitor their credit reports for fraudulent activity.