Ron’s Pharmacy Services Notifies Patients of Email Compromise
San Diego, California: February 2, 2018 – Ron’s Pharmacy Services (“Ron’s Pharmacy”) is notifying certain patients of the unauthorized access to certain limited pieces of patient information, including patient names, Ron’s Pharmacy internal account numbers, and payment adjustment information.
This information also included prescription medication information for a small number of impacted individuals. Although we are unaware of any actual or attempted misuse of protected health information, Ron’s Pharmacy is providing its impacted patients with information about the event, steps taken since discovering the incident to mitigate the risk of misuse of the information, and what can be done to better protect against potential harm resulting from this event.
On October 3, 2017, Ron’s Pharmacy identified unusual activity in an employee email account. As part of Ron’s Pharmacy’s immediate and ongoing investigation into the incident, on December 21, 2017, it was determined that patient information was in fact viewed by an unauthorized actor.
“We take this incident very seriously,” Ron Belville, President of Ron’s Pharmacy, stated. “Upon learning of the event, we immediately changed the credentials to the email account and launched an extensive internal investigation, which was supported by a third-party forensic investigation firm, into the nature and scope of the incident. Once we confirmed protected health information was accessed without authorization, we immediately took steps to notify our impacted patients of the incident. We have provided additional staff training and are reviewing our policies and procedures to better protect against an event like this from happening again.”
Ron’s Pharmacy is mailing letters to its impacted patients on February 2, 2018. Ron’s Pharmacy is also disclosing this incident to the U.S. Department of Health and Human Services and the California Attorney General’s office.
Ron’s Pharmacy is unaware of any actual or attempted misuse of its patients’ information, and emphasizes that the impacted information did not contain patient Social Security numbers, financial account information, or health insurance information.
Nevertheless, Ron’s Pharmacy encourages its patients to review their Ron’s Pharmacy account statements, health insurance account records, and explanation of benefits forms for suspicious activity, and to immediately report all suspicious activity to the institution that issued the record.
To better assist its patients, Ron’s Pharmacy has established a toll-free privacy inquiry line to answer any questions. This privacy inquiry line is available Monday through Friday, 6:00 a.m. to 6:00 p.m. PST at (855) 367-5406. This inquiry line will remain open until May 3, 2018.
SOURCE Ron’s Pharmacy Services
Note: Interestingly, the template notification letter submitted to the California Attorney General’s Office provided a slightly different description of how the hacker gained access:
On October 3, 2017, Ron’s Pharmacy identified unusual activity in an employee email account. Ron’s Pharmacy immediately changed the employee’s credentials and commenced an investigation, with the assistance of third-party forensic investigators, to determine what happened. As part of this investigation, we determined that the employee’s email account was subject to unauthorized access and certain emails were viewed as a result of the unauthorized individual(s) using software to crack the employee’s email account password.