Pharmaca notifies customers of payment card breach affecting brick-and-mortar stores

Those of us who read breach notifications to state attorneys general (yes, we have no life), likely all spotted a notification in mid-January involving Pharmaca. The notification stated that in December, 2018, Pharmaca started receiving reports of payment card fraud.  Their investigation, with help from security experts, revealed that malware may have captured customer payment card info between July 19, 2018 and December 12, 2018. The incident did not impact online purchases — only purchases in their brick-and-mortar stores.  And the breach did not compromise any protected health information, they report:

Importantly, this incident does not include medical records, prescription information, Social Security numbers, driver’s license numbers, passport numbers, government identification numbers, or other sensitive information about Pharmaca’s customers.  

Customers needing more information can call the firm’s dedicated information line at 866-904-6220 from 6am to 6pm PST, Monday through Friday, and 8am to 5pm PST Saturday through Sunday.

Gemini Advisory informs DataBreaches.net that they had independently confirmed the Pharmaca breach through the identification of sold compromised payment card data being sold by one dark web vendor. The compromised data was posted for sale between October and December of 2018, they say.

Of note, Gemini’s analysis of the compromised payment card data indicated that 13 of  29 Pharmaca locations were breached in five US states:  Washington state, Oregon, California, Colorado, and New Mexico. Their research also suggested that as many as 150,000 payment cards may be associated with this breach, with the following data types involved: card number, expiration date, and occasionally the cardholder’s name.

All 29 Pharmaca locations are marked in orange, and the affected states with compromised Pharmaca locations are marked in red. Source: Gemini Advisory, used with permission. .

At this time, Gemini Advisory has turned over all of its findings to US federal law enforcement for further analysis.

Pharmaca’s notification to California appears below.

Pharmaca - Regulator Notice - CA - FINAL_0 (notice)_0

About the author: Dissent