US health giant PharMerica, a popular nationwide pharmacy services provider, disclosed a massive data breach affecting 5.8 million patients.

PharMerica is one of the largest US-based pharmacy services providers, serving patients in 50 states and operating over 180 local pharmacies and 70,000 backup pharmacies. It’s the US’s second-largest institutional pharmacy services company, with revenues exceeding $2.1 billion last year.

The breach came to light on March 14, 2023, when PharMerica and its parent company, BrightSpring Health Services, discovered suspicious activity on their computer network.

An investigation showed that an unknown threat actor compromised PharMerica’s systems and stole certain personal and limited medical information, including names, dates of birth, Social Security numbers, medication lists and health insurance data.

PharMerica says it has no evidence that stolen data was used to perpetrate fraud or identity theft.

While the company didn’t specify who was behind the incident, tech news site BleepingComputer reported that the Money Message ransomware gang had added PharMerica and BrightSpring Health Services to their victim list in late March.

The group claimed to have stolen 4.7 TB of data from the company, including at least 1.6 million unique records of personal information.

The gang reportedly published all of the allegedly stolen data on their data leak site, and it appears that someone has already leaked the entire data dump on a hacking forum.