Personal Details of Over 2.8 Million Americans Stolen in Sav-Rx Data Breach

Sav-Rx asked affected clients to be aware of any fraudulent activities or identity theft.
Personal Details of Over 2.8 Million Americans Stolen in Sav-Rx Data Breach
A hacker uses his computer in Dongguan in China's southern Guangdong Province, on Aug. 4, 2020. (Nicolas Asfouri/AFP via Getty Images)
Naveen Athrappully

Prescription services company Sav-Rx disclosed a data breach affecting nearly three million Americans, with client information like names, phone numbers, and social security numbers likely stolen by the hackers.

The data breach occurred on Oct. 8 2023 when Sav-Rx identified an interruption to their computer network.
The company hired third-party cybersecurity experts and was able to restore its IT systems the next day. “The disruption to our IT systems did not result in any material disruption to patient care. Prescriptions were shipped on time and without delay. Our adjudication system was not affected so network pharmacy claims were adjudicated continuously without impact or delay,” the company said.

However, Sav-Rx discovered that an unauthorized third party was able to access files containing the personal information of clients. After an extensive review was completed on April 30, the company confirmed that some personal data had potentially been acquired by a third party.

Stolen information includes names, dates of birth, social security numbers, phone numbers, addresses, email IDs, eligibility data, and insurance identification. According to the company, other data, including clinical and financial information, were not accessed by the hacker(s).

More than 2.81 million individuals were affected by the breach. Sav-Rx sent notifications to health plan customers whose data had been affected.

“If you did not receive a letter from us, either the investigation did not indicate that your information was affected by the incident or we did not have sufficient contact information to provide you with a letter notice. If you would like to confirm whether your data may have been affected, please contact our call center at 888-326-0815,” the company said.

Sav-Rx is offering all affected customers complimentary access to 24 months of credit monitoring and identity theft restoration services via Equifax. The firm recommended clients remain vigilant for instances of fraud and identity theft.

It advised people to promptly report such fraudulent activity or suspected incidents of such activities to their financial institutions as well as authorities like the U.S. Federal Trade Commission (FTC).

The firm claims the issue has been resolved and that it has taken steps to strengthen security protocols. The company also said it is currently not aware of any third party using the stolen data. Law enforcement officials were also alerted about the issue.

On May 16, another prescription services provider, MediSecure from Australia, confirmed a cybersecurity incident that resulted in personal information and client health details being stolen and made available on the dark web.

Cyber Threats to the United States

The Sav-Rx data breach comes amid concerns about rising cyber threats facing American citizens. According to a report by Surfshark, a Netherlands-based cybersecurity firm, the United States accounted for the most number of hacked emails and other personal accounts in the world last year.

Out of 300 million global accounts in 2023, around 97 million or roughly a third were from the United States. This is more than triple the 30.9 million American accounts breached in 2022. In second place was Russia with 79 million hacked accounts. China fell from second spot to 12th place during this period.

A key risk facing the United States is cybersecurity threats from China. In January, it was revealed that a multi-agency operation eradicated Chinese malware embedded in America’s critical infrastructure.

“The purpose of the hacking was not to collect intelligence,” Rep. Raja Krishnamoorthi (D-Ill.) said during a hearing. “The purpose of the hacking was to install malware that, once activated, would disrupt or damage the infrastructure.”

If the Chinese communist regime had activated the malware, it’d have physically harmed numerous citizens, he said, noting that such a development would be considered an act of war.

“This means targeting Americans ... This means we could suffer large-scale blackouts in major cities. We could lose access to our cell towers and the internet. We could lose access to clean water and fuel,” the lawmaker said.

Taiwan could be a flashpoint in China’s cyberattack plan against the United States. China has long wanted to annex Taiwan.

The United States and Taiwan are not formal allies. However, Washington maintains an ambiguous policy that suggests America could come to Taiwan’s defense if the island faces a military incursion from China.

“We think that if there is an attack on Taiwan, we’re gonna get hit because they expect us to come to the aid of Taiwan; they want to slow us down,” Rep. Carlos A. Gimenez (R-Fla.) told The Epoch Times.

A March 25 report from the Foundation for Defense of Democracies (FDD) called for the creation of an independent cyberservice for the U.S. military alongside the Army, Air Force, Navy, Marine Corps, Coast Guard, and Space Force.

It was pointed out that the “scope and scale” of cyber threats are growing, with China having already centralized its cyber, electronic warfare, space, and psychological warfare capabilities. Russia also poses a threat to American critical infrastructure, according to the report.

In the face of these threats, America’s “cyber force generation system is clearly broken,” the report said. “Fixing it demands nothing less than the establishment of an independent cyber service.”

The FDD recommended that Congress create a Cyber Force branch with a starting staff level of 10,000 employees and a budget of $16.5 billion.