This may be one of the best breach notifications I have ever read — for its plain language, clarity, and lack of attempt to spin. Not only did these folks respond promptly to an attack, but they had usable backups, stopped the attack quickly, and just…. handled this so well, it seems. Maybe they didn’t have all desirable security protections in place prior to the attack, but their response to it has been admirable.
Here’s their full notice, below:
SCOTTSDALE, Ariz.–(BUSINESS WIRE)–GenRx Pharmacy (“GenRx”), which is headquartered in Scottsdale, AZ, is notifying individuals of a data security incident. The incident could potentially impact the security of certain personal and protected health information regarding less than five percent of former GenRx patients. While the pharmacy is not aware of any actual harm to individuals as a result of the situation, it is providing potentially affected individuals with information via First Class mail regarding steps taken, and what can be done to protect against potential harm.
On September 28, 2020, the pharmacy found evidence of ransomware on its system and immediately began an investigation, including hiring independent information security and technology (“I.T.”) experts to assist with incident response and forensic investigation. During the ransomware attack, the pharmacy had full access to its data with unaffected backups and was able to maintain continuous business operations as they investigated. Together with forensic experts, the pharmacy terminated the cybercriminals’ access to the pharmacy’s systems the same day (September 28, 2020) and confirmed that an unauthorized third party deployed the ransomware only one day before (September 27, 2020). On November 11, 2020, the pharmacy confirmed that the cybercriminals were able to remove a small number of files that included certain health information the pharmacy used to process and ship prescribed products to patients.
What Information Was Involved
The cybercriminals accessed and removed the following health information of certain former GenRx patients: patient ID, transaction ID (a number generated to process the prescription, not related to patient financials), first and last name, address, phone number, date of birth, gender, allergies, medication list, health plan information (including member ID), and prescription information. The pharmacy does not collect patient Social Security Numbers (“SSNs”) or maintain financial information, and so there is no way that the cybercriminal could access that information of GenRx patients during this incident.
What the Pharmacy is Doing
In addition to the I.T. security measures already in place, the pharmacy has upgraded its firewall firmware, added additional anti-virus and web-filtering software, instituted multifactor authentication, increased Wi-Fi network traffic monitoring, provided additional training to employees, updated internal policies and procedures, and installed real-time intrusion detection and response software on all workstations and servers that access the company network. The pharmacy is also assessing further options to enhance its protocols and controls, technology, and training, including strengthening encryption. Additionally, the pharmacy is notifying applicable state and federal regulatory authorities as well as the three largest nationwide consumer reporting agencies – Equifax, Experian and TransUnion – of the incident.
What Affected Individuals Can Do
Although SSNs and financial information were not affected by this incident, the pharmacy recommends that as a general best practice, individuals monitor account statements and free credit reports to detect potential errors.
Affected individuals can learn more about this matter by calling the number listed in their mailed notification letter. GenRx has a strong commitment to protect personal information and is taking additional steps to enhance data security going forward. GenRx apologizes for any concern this situation has caused to its patients.