The Wisconsin-based long-term care pharmacy disclosed unauthorized access to its network systems.
Morton Drug Company, which operates long-term care pharmacy services in Wisconsin, reported a network security incident that affected 40,051 individuals. The company said it detected unauthorized access to its IT environment around August 20, 2025, and later confirmed that patient information had been exposed. According to the U.S. Department of Health and Human Services breach reporting portal, the incident involved personally identifiable information and protected health information.
The company completed its investigation in October 2025 and determined that the exposed data varied by individual. Information involved included names, addresses, prescription details, and, in some cases, Social Security numbers. Morton Drug Company said the breach stemmed from unauthorized network access, though it has not publicly disclosed the specific attack method. The organization posted a notice of data security incident on November 7, 2025, and submitted the required report to federal regulators days later. While no misuse has been identified, the nature of the exposed data required notification to affected individuals.
Morton Drug Company said it immediately engaged external cybersecurity specialists to investigate and contain the incident once it was identified. Law enforcement was notified, and steps were taken to secure systems and strengthen information security practices. The pharmacy said it has no evidence that the exposed information has been used for fraud, but advised affected individuals to remain alert for suspicious activity involving their personal or prescription information.
Breaches like the one reported by Morton Drug Company continue to add up across the healthcare sector. According to the American Hospital Association’s 2025 cybersecurity year review, “33 million Americans had their health care records stolen so far this year,” a figure the group said “is still far too high and should not be tolerated as the norm.” While that total is lower than in recent years, the AHA cautioned against viewing the decline as meaningful progress.
By the end of 2024, “259 million Americans’ protected health information (PHI) had been reported as hacked, a new record,” the association noted. Even as breach totals fall from those historic highs, incidents affecting pharmacies, clinics, and long-term care providers show that unauthorized network access and unencrypted data remain persistent risks across healthcare operations of all sizes.
They manage prescription data, patient identifiers, and insurance information, which can be misused for fraud or resale.
No. The types of information involved vary by individual, depending on the records stored in the accessed systems.
It is less common than clinical or prescription data, but when present, it increases identity theft risk and notification requirements.
Unfamiliar account activity, unexpected communications referencing prescriptions, or notices about benefits they did not request.
Yes. Breaches involving protected health information above federal thresholds must be reported to HHS and disclosed to affected individuals.