Sav-Rx data breach affects 2.8M individuals

Sav-Rx, a Nebraska-based pharmacy benefit management (PBM) company, alerted 2.8 million individuals of a data breach that occurred in October 2023. Although Sav-Rx identified the disruption on its computer network in October, it was not until April 30, 2024 that it received the results of its investigation and notified health plan customers.

After discovering the interruption on October 8, Sav-Rx said it immediately engaged third-party experts and restored its systems the following day.

“The disruption to our IT systems did not result in any material disruption to patient care. Prescriptions were shipped on time and without delay,” Sav-Rx stated.

“Our adjudication system was not affected so network pharmacy claims adjudicated continuously without impact or delay.”

The investigation revealed that an unauthorized party was able to access certain non-clinical systems and acquire files containing personal information.

The affected information included names, dates of birth, email addresses, phone numbers, Social Security numbers, eligibility data, insurance identification numbers and addresses. The threat actor did not access clinical or financial information.

“We worked with third-party cybersecurity experts, we contained the incident and confirmed that any data acquired from our IT system was destroyed and has not been disseminated any further,” Sav-Rx stated.

Sav-Rx said that it has since implemented several mitigation measures and enhanced select features, including multi-factor authentication, network segmentation, Linux system hardening, and enhanced geo-blocking.

Impacted individuals were encouraged to access the free credit monitoring provided by Sav-Rx and to remain vigilant for incidents of fraud and identity theft.