The California Office of the Attorney General disclosed a data breach affecting Palomar Health, stemming from unauthorized access to PharMerica’s computer systems between March 12–13, 2023. The incident exposed sensitive patient data, including names, addresses, dates of birth, Social Security numbers, medication records, and health insurance details. While the exact number of impacted individuals remains undisclosed, the breach poses significant risks of identity theft, financial fraud, and misuse of protected health information (PHI). The compromised data particularly Social Security numbers and medical records heightens the potential for long-term harm, including targeted phishing, insurance fraud, or blackmail. As a healthcare provider, Palomar Health’s breach underscores vulnerabilities in third-party vendor systems (PharMerica) and the cascading consequences of supply-chain cyberattacks. The lack of clarity on the affected population further complicates mitigation efforts, leaving patients and the organization exposed to regulatory scrutiny under HIPAA and state privacy laws.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-568299
TPRM report: https://www.rankiteo.com/company/palomar-health
"id": "pal1012090725",
"linkid": "palomar-health",
"type": "Breach",
"date": "3/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Unknown',
'industry': 'Healthcare',
'location': 'California, USA',
'name': 'Palomar Health',
'type': 'Healthcare Provider'},
{'customers_affected': 'Unknown (systems breached)',
'industry': 'Healthcare',
'name': 'PharMerica',
'type': 'Pharmacy Services Provider'}],
'attack_vector': 'Unauthorized Access',
'data_breach': {'data_exfiltration': 'Likely (unauthorized access)',
'number_of_records_exposed': 'Unknown',
'personally_identifiable_information': ['Names',
'Addresses',
'Dates of Birth',
'Social Security '
'Numbers'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)']},
'date_publicly_disclosed': '2023-06-21',
'description': 'The California Office of the Attorney General reported a data '
'breach involving Palomar Health on June 21, 2023. The breach '
"occurred through unauthorized access to PharMerica's computer "
'systems from March 12 to March 13, 2023, potentially '
'affecting patient information including names, addresses, '
'dates of birth, Social Security numbers, medications, and '
'health insurance information. The number of individuals '
'affected is currently unknown.',
'impact': {'data_compromised': ['Names',
'Addresses',
'Dates of Birth',
'Social Security Numbers',
'Medications',
'Health Insurance Information'],
'identity_theft_risk': 'High (PII and SSNs exposed)',
'systems_affected': ["PharMerica's computer systems"]},
'initial_access_broker': {'high_value_targets': ['Patient PII/PHI']},
'investigation_status': 'Ongoing (number of affected individuals unknown)',
'references': [{'date_accessed': '2023-06-21',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Likely HIPAA (Health '
'Insurance Portability and '
'Accountability Act)',
'California Consumer '
'Privacy Act (CCPA)'],
'regulatory_notifications': 'California Office of '
'the Attorney General'},
'response': {'communication_strategy': 'Public disclosure via California '
'Office of the Attorney General'},
'title': 'Data Breach at Palomar Health via PharMerica Systems',
'type': 'Data Breach'}