Jun 4, 2024

2.8 Million Social Security Numbers Leaked in Sav-Rx Data Breach

2.8 Million Social Security Numbers Leaked in Sav-Rx Data Breach - data breach concept

On October 3rd, 2023, A&A Services d/b/a Sav-Rx, also known as Sav-Rx, suffered a data breach that exposed the personal information of over 2.8 million people in the United States. On Friday, March 24th, 2024, Sav-Rx notified the Maine Attorney General's office of a cybersecurity incident, where it attached a copy of the notice it sent to its customers explaining what occurred. As the notice explains, on October 8th, 2023, Sav-Rx identified an interruption in its computer network. 

As a result of the breach, the company's first reaction was to secure its systems and ensure it restored operations as quickly as possible. The turnaround time was quick, as its information technology systems were restored the next business day, and prescriptions were shipped "on time without delay," the company said in the report. 


Sav-Rx Delays Customer Notifications for Eight Months Due to Investigations

Some customers noted the time gap in which the company decided to inform those potentially affected by the breach, as it took them eight months to send out notices of the breach. According to the company's FAQ page, it did not jump to inform certain groups due to prioritizing the investigation of the issue at hand. The company said, "Immediately upon learning of an interruption to our computer network, we took steps to secure our systems and engaged third-party cybersecurity experts. Our initial priority was restoring systems to minimize any interruption to patient care." 

The healthcare company claims that after it secured its systems, it worked with third-party cybersecurity experts to launch an investigation into the incident. The investigation aimed to determine which individuals were affected and what specific elements of each individual's personal information were accessed. Once the technological investigation was concluded, and Sav-Rx received the results of that investigation on April 30th, 2024, within 48 hours, it sent the proper notifications to their health plan customers whose participant data was affected by the breach.


Hackers Made Away With More Than Just Social Security Numbers

As concluded in its initial investigation, Sav-Rx determined the unauthorized party was able to access certain non-clinical systems and obtained files that contained health information five days prior to its initial discovery of the incident on October 8th. Then, the results from the April 30th investigation with third-party experts revealed that some of the data accessed or acquired by the unauthorized third party may have contained over 2.8 million of its customer's health information. 

Along with customers' social security numbers, the information potentially accessed by the third party includes full names, dates of birth, email addresses, physical addresses, phone numbers, eligibility data, and insurance identification numbers. Since the discovery, Sav-Rx has issued notification letters to those affected by the breach and says those who did not receive a notice letter can assume their information was not affected.

However, the healthcare company also mentioned that if you did not receive a letter, it was possible they may not have had "sufficient contact information" on hand to provide you with a notice. Those who suspect their information may have been compromised during the breach or would like to verify that their information was not affected can contact their designated call center at 888-326-0815.


Sav-Rx Offers Its Customers Free Two-Year Data Protection

After the breach, Sav-Rx took measures to improve its security, including enhancing a number of features such as a 24/7 security operations center, upgrading its Microsoft Defender antivirus and firewall, adding new firewall and switches, customer multi-factor authentication, BitLocker, Zabbix, and reinforcing it' cycle implementation, network segmentation, Linux system, improving its website/portal, and updating its policy and procedure development. The company claims it will continue to analyze its system and, in the future, look for additional opportunities to enhance its security.

Currently Sav-Rx does not believe the information accessed by the unauthorized party has been used in any malicious manner; however, it did note the type of information stolen was more than enough for any hacking group to use in identity theft, phishing or other social engineering attacks. Out of an abundance of caution, Sav-Rx is offering affected customers complimentary access to 24 months of credit monitoring and identity theft restoration services through Equifax. 

In addition to enrolling in the free two-year credit monitoring services, Sav-Rx recommends that those affected by the breach remain vigilant for incidents of fraud and identity theft that may be taken against their accounts. Those affected by the breach may report any fraudulent activity or any suspected incidents of identity theft to their bank or other financial institution holding their accounts.

Customers have the right to contact their state attorney general and the Federal Trade Commission and to obtain a police report if one has been created for the incident. For more information and assistance, Sav-Rx has set up a hotline at 1-888-326-0815, Monday through Friday, 9 a.m. to 9 p.m. EST. Affected customers may also email the company at inquiry@savrx.com.


Learn More About Sav-Rx and the Data Breach by Contacting an Attorney

Headquartered in Fremont, Nebraska, Sav-Rx is a pharmacy benefit manager that provides prescription drug benefit services to various organizations, such as unions, employers, and health plans. Sav-Rx manages and facilitates prescription medication delivery and negotiates with drug manufacturers and pharmacies regarding prices and more. If you or someone you know has received a letter from Sav-Rx regarding their personal information being accessed during the 2023 breach, do not wait to contact a Morgan & Morgan data breach attorney.

Speaking with an experienced attorney will help you better understand the scope of your situation as well as determine what your legal options are. For more information about how a Morgan & Morgan data breach attorney can help you, connect with us today by completing our free, no-obligation case evaluation form.