Posted On February 4, 2022 Consumer Privacy & Data Breaches
February 4, 2022 – Recently, Injured Workers Pharmacy, a pharmacy that caters to employees who were injured on the job and receiving workers’ compensation benefits, announced that several employee email accounts were compromised in a recent cyberattack. As a result of the Injured Workers Pharmacy data breach, the personal information of more than 75,000 individuals was compromised. While Injured Workers Pharmacy cannot confirm which consumers’ data was viewed or if any was retained, the information in the hacked email accounts may include names, addresses, and Social Security numbers.
News of the Injured Workers Pharmacy data breach just broke, and details of the event are still sparse. However, the data breach lawyers at Console & Associates, P.C. are actively investigating the Injured Workers Pharmacy security breach. If an investigation reveals that Injured Workers Pharmacy failed to ensure the safety of consumer data leading up to the breach, the pharmacy may be liable through a data breach class action lawsuit.
Cyberattacks such as the Injured Workers Pharmacy data breach are increasingly common in today’s society. Today more than ever, information is stored electronically. While there are ways to protect against cyberthreats, hackers have ways of identifying vulnerabilities in data security systems, which they can then exploit.
Once a cybercriminal breaches a computer network, they can access and remove sensitive consumer information from the compromised systems. While there is no guarantee that this information will be used for criminal purposes, that is not an uncommon occurrence. Thus, as a matter of course, after a company experiences a data breach, they will inform anyone whose information was compromised. Despite the risks data breaches present, many consumers fail to take precautionary measures to protect themselves from identity theft and other frauds.
Those impacted by a data breach should be sure they understand what happened, what their rights are, and how they can pursue them.
When you allowed Injured Workers Pharmacy access to your personal data, you trusted the company to keep your sensitive information safe. However, news of the Injured Workers Pharmacy data breach raises some very serious questions about the company’s data security measures and whether there was more the business could have done to prevent this type of cyber-attack.
Regardless of the industry, all businesses have a legal obligation to protect consumer information in their possession. Although creating and maintaining a data security system is costly, this is a necessary expense given the frequency with which cyberattacks occur.
Consumers whose personal, identifying, financial or healthcare-related data was compromised in a data breach can pursue legal action against a company that misused or mishandled their information. However, the investigation into the Injured Workers Pharmacy breach is only in its beginning phases. For that reason, it is too early to tell if Injured Workers Pharmacy was legally responsible for the breach. However, our data breach attorneys are investigating the Injured Workers Pharmacy security breach to determine the potential legal remedies of those affected.
If you have questions about your ability to pursue a data breach class action lawsuit against Injured Workers Pharmacy, contact a data breach attorney as soon as possible.
If you are a patient who filled prescriptions through Injured Workers Pharmacy, it is possible you will receive a data breach notification from the company in the coming weeks. If you do, it means your personal data was among that which was compromised in the recent cyberattack. It also means a cybercriminal may have accessed and stolen your personal data. Given the risks involved, it is important you remain vigilant by taking the following steps:
While placing a credit freeze on your accounts may initially seem like a drastic measure, according to the identity Theft Resource Center (“ITRC”), doing so is the “single most effective way to prevent a new credit/financial account from being opened.” However, IRTC reports that just 3% of consumers whose information is leaked place a freeze on their accounts.
Injured Workers Pharmacy (“IWP”) is a specialized pharmacy that caters to those receiving workers’ compensation benefits. The company operates in all 50 states, filling 2,000 prescriptions per day for more than 17,000 injured workers. Injured Workers Pharmacy provides next-day delivery for most medications and focuses on making the process as easy on the patient as possible. Of course, in occupying this role, Injured Workers Pharmacy has access to a large amount of consumer data.
According to an official notice filed by the company, Injured Workers Pharmacy noticed suspicious activity on several employee email accounts on May 11, 2021. In response, the company launched an internal investigation to determine the nature and scope of the incident. Injured Workers Pharmacy then learned that seven employee email accounts were accessed by an unknown party between January 16, 2021 and May 12, 2021.
The company then reviewed the affected email accounts to determine whether any consumer information was compromised. Injured Workers Pharmacy completed this review on December 14, 2021, confirming that the information may have included names, addresses and Social Security numbers. According to one source, the total number of affected parties may be as high as 75,771 individuals.
On February 3, 2021, Injured Workers Pharmacy began sending out data breach notification letters to all individuals whose information was contained in the affected employee email accounts.
Below is a copy of the initial data breach letter issued by Injured Workers Pharmacy (the actual notice sent to consumers can be found here):
Injured Workers Pharmacy (“IWP”) writes to notify you of a recent event that may affect the security of some of your information. Although there is no indication that your information has been misused in relation to this event, we are providing you with information about the event, our response to it, and what you may do to better protect your personal information, should you feel it appropriate to do so.
What Happened? On or about May 11, 2021, IWP learned of suspicious activity related to an IWP employee email account. In response, we launched an investigation to assess the security of our systems and to confirm the full nature and scope of the activity. This investigation revealed that an unknown actor accessed a total of seven (7) IWP e-mail accounts between January 16, 2021 and May 12, 2021. Accordingly, IWP, with the assistance of data review specialists, undertook a comprehensive and time-intensive review of the contents of the affected email accounts to determine if they contained personal information and, if so, to whom the information related. This review determined that the affected e-mail accounts contained patient information in IWP systems.
What Information was Involved? While we currently have no evidence that any information has been misused, the investigation determined the following types of your information were contained in an affected email account: your <<b2b_text_2(name, data elements)>><<b2b_text_4(name, data elements cont)>>.
What We Are Doing. Safeguarding the privacy of information held in our care and the security of our network are among IWP’s highest priorities. Upon learning of this event, we immediately reset passwords to impacted accounts, and investigated and remediated the event. We also took action to further enhance our security measures already in place to protect our email systems and data. IWP also reported this event to government regulators.
What You Can Do. IWP encourages you to remain vigilant against incidents of identity theft and fraud by reviewing your account statements and monitoring your credit reports for suspicious activity and to detect errors. Please review the enclosed Steps You Can Take to Help Protect Your Personal Information for useful information on what you can do to better protect against possible misuse of your information.
For More Information. If you have additional questions, you may our call center at (855) 545-2591 (toll free), Monday through Friday, 9:00 am to 6:30 pm Eastern Time, excluding U.S. holidays. You may also write to IWP at 300 Federal Street, Andover, MA 01810.
We sincerely regret any inconvenience or concern this may have caused you. IWP remains committed to safeguarding information in our care, and we will continue to take proactive steps to enhance the security of our systems.