Data breach at Arizona pharmacy impacted close to 800,000 patients

OnePoint Patient Care, a hospice-dedicated pharmacy located in Tempe, Arizona, said that the data security incident it suffered earlier this year compromised the sensitive personal information of close to 800,000 individuals.

 

In a letter sent to affected individuals, OnePoint Patient Care said that on August 8, it detected suspicious activity in its internal network. The pharmacy said it immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“The incident had no impact on OPPC’s operations but, on August 15, 2024, OPPC learned that, between August 6 and 8, 2024, someone obtained some individuals’ personal information from OPPC’s systems without authorisation”, it said in a data security incident notice posted on its website.

 

The compromised data included names, addresses, residence information, medical record numbers, diagnosis, Social Security numbers and prescription information. OPPC’s filing with the U.S. Department of Health and Human Services Office for Civil Rights revealed that it identified at least 795,916 individuals who were impacted by the incident.

 

“OPPC has taken, and is taking, additional steps including changes to make its safeguards even better and to help reduce the likelihood of a similar event from happening in the future,” the pharmacy added.

 

While OPPC found no evidence of the compromised information being misused, it has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general.

 

The organisation has also offered one year of complimentary identity protection and credit monitoring services through Experian IdentityWorks to all affected individuals.

 

In September, the INC RANSOM group claimed responsibility for the cyber attack on OPPC and listed it as a victim on its data leak site. The group gave a deadline of 22 hours after which it published the stolen data, indicating a failed ransom negotiation.