2.8M US folks learn their personal info was swiped months ago in Sav-Rx IT heist

Sav-Rx has started notifying about 2.8 million people that their personal information was likely stolen during an IT intrusion that happened more than seven months ago.

The biz provides prescription drug management services to more than 10 million US workers and their families, via their employers or unions. It first spotted the network "interruption" on October 8 last year and notes the break-in likely occurred five days earlier, according to a FAQ page about the incident posted on the Sav-Rx website.

Sav-Rx says it restored the IT systems to normal the following business day, and says all prescriptions were shipped on time and without delay. It also notified the police and called in some experts for a deeper dive into the logs.

An "extensive review" completed by a third-party security team on April 30 confirmed "some of the data accessed or acquired by the unauthorized third party may have contained personal information."

The security breach affected 2,812,336 people, according to an incident notification filed with the Maine attorney general by A&A Services, doing business as Sav-Rx. Potentially stolen details include patients' names, dates of birth, social security numbers, email addresses, mailing addresses, phone numbers, eligibility data, and insurance identification numbers. 

"Please note that other than these data elements, the threat actor did not have access to clinical or financial information," the notice reads.

While there's no indication that the crooks have "made any use of your data as a result of this security incident," Sav-Rx is providing everyone with two years of free credit and identity monitoring, as seems to be standard practice.

There's also an oddly worded line about what happened that notes, "in conjunction with third-party experts, we have confirmed that any data acquired from our IT system was destroyed and not further disseminated."

The Register contacted Sav-Rx with several questions about the network breach — including how it confirmed the data was destroyed and if the crooks demanded a payment — and did not receive a response. We will update this story when we hear back. It seems like some form of ransomware or extortion.

• Auction house Christie's confirms criminals stole some client data
• Bayer and 12 other major drug companies caught up in Cencora data loss
• BreachForums returns, just weeks after FBI-led takedown
• Casino cyberattacks put a bullseye on Scattered Spider – and the FBI is closing in

Either anticipating, or already receiving, inquiries about why the lag between discovering the intrusion and then notifying affected parties, the FAQ also includes a "Why wasn't I contacted sooner?" question.

"Our initial priority was restoring systems to minimize any interruption to patient care," it answers.

And then, after securing the IT systems and hiring the incident response team, Sav-Rx launched an investigation to determine who had been affected, and what specific personal information had been stolen for each of them.

Then, it sounds like there was some back-and-forth between healthcare bodies and Sav-Rx as to who would notify people that their data had been stolen. Here's what the company says to that point:

It's unclear if this will be enough to satisfy affected customers. But in a statement to reporters, Roger Grimes, of infosec house KnowBe4, said the short answer is probably not.

"I don't think the eight months it took Sav-Rx to notify impacted customers of the breach is going to fly with anyone, least of all their customers," Grimes said. 

"Today, you've got most companies notifying impacted customers in days to a few weeks," he added. "Eight months? Whoever decided on that decision is likely to come under some heat and have explaining to do."

Sav-Rx claims to have implemented a "number of detailed and immediate mitigation measures" to improve its security after the digital break-in. This includes "enhancing" its always-on security operations center, and adding new firewalls, antivirus software, and multi-factor authentication. 

The organization also says it has since implemented a patching cycle and network segmentation and taken other measures to harden its systems. Hopefully it can also speed up its response times if it happens again. ®