On Nov. 7, 2025, Morton Drug Company, an independent pharmacy, announced it had experienced a significant network cybersecurity incident. The breach, which was first discovered on Aug. 20, 2025, impacted the company’s IT systems and led to the exposure of sensitive personally identifiable information (PII) and protected health information (PHI) of 40,051 individuals in the U.S.
The investigation, which concluded on or around Oct. 21, 2025, determined that the types of information exposed included names, addresses, prescription information, and, in some cases, Social Security numbers. The exact methods of the breach are not yet publicly known. However, the type of data exfiltrated and the number of people impacted suggests that this is a serious cybersecurity incident. As such, the exposure of PII and PHI puts individuals at risk of identity theft and medical fraud.
The company posted a notice of data security incident on its website on Nov. 7, 2025 and reported it to the U.S. Department of Health and Human Services on Nov. 10, 2025.
Morton Drug Company's response
Upon discovering the breach, Morton Drug Company immediately engaged third-party cybersecurity experts to assess, contain and remediate the incident. Law enforcement was also notified to assist in the investigation. The company has since reviewed and strengthened its information security protocols to help prevent similar incidents in the future.
If you receive notification from Morton Drug Company or your provid
Source: https://www.claimdepot.com/data-breach/morton-drug-2025
Rxperts Pharmacy cybersecurity rating report: https://www.rankiteo.com/company/rxpertspharmacy
"id": "RXP1764807483",
"linkid": "rxpertspharmacy",
"type": "Breach",
"date": "12/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'incident': {'affected_entities': [{'customers_affected': '40,051',
'industry': 'Healthcare',
'location': 'U.S.',
'name': 'Morton Drug Company',
'size': None,
'type': 'Independent Pharmacy'}],
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': '40,051',
'personally_identifiable_information': ['Names',
'Addresses',
'Prescription '
'information',
'Social '
'Security '
'numbers'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally '
'Identifiable '
'Information (PII)',
'Protected Health '
'Information '
'(PHI)']},
'date_detected': '2025-08-20',
'date_publicly_disclosed': '2025-11-07',
'date_resolved': '2025-10-21',
'description': 'Morton Drug Company, an independent pharmacy, '
'experienced a significant network cybersecurity '
'incident leading to the exposure of sensitive '
'personally identifiable information (PII) and '
'protected health information (PHI) of 40,051 '
'individuals in the U.S.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Sensitive personally '
'identifiable information (PII) '
'and protected health information '
'(PHI)',
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High',
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'IT systems'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Concluded',
'post_incident_analysis': {'corrective_actions': 'Strengthened '
'information '
'security '
'protocols',
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': '2025-11-07',
'source': 'Morton Drug Company Notice of Data '
'Security Incident',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': ['Reported '
'to the '
'U.S. '
'Department '
'of '
'Health '
'and '
'Human '
'Services '
'on '
'2025-11-10']},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Posted a notice of data '
'security incident on its '
'website',
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': 'Yes',
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': 'Reviewed and strengthened '
'information security '
'protocols',
'third_party_assistance': 'Engaged third-party '
'cybersecurity experts'},
'title': 'Morton Drug Company Cybersecurity Incident',
'type': 'Data Breach'}}