Originally published by our sister publication Specialty Pharmacy Continuum
By Marcus A. Banks
“Cybersecurity often falls too far down the chain of priority for pharmacists, when it should be prioritized,” Brad Gallagher, JD, told Pharmacy Technology Report. Mr. Gallagher, a partner and co-leader of the Health Care Controversies Team for law firm Barclay Damon, noted that pharmacy leaders sometimes focus on strategies for increasing revenues as cybersecurity takes a back seat.
Last year’s large data breach at payment provider Change Healthcare was a wake-up call to keep cybersecurity top of mind, too, noted Mr. Gallagher, who spoke about cybersecurity strategies at the APhA 2025 Annual Meeting & Exposition, in Nashville, Tenn. The Change Healthcare breach resulted in pharmacies not being able to process claims with insurers or manufacturers for patient coupons or to receive reimbursement.
“The Change Healthcare breach impacted perhaps 190,000,000 Americans. Pharmacy leaders should make sure their patient information is protected,” Mr. Gallagher said.
A pharmacy will likely face litigation costs to defend against lawsuits after a breach, in addition to costs needed to safeguard information technology. Mr. Gallagher noted that, as of March 2025, Change Healthcare was involved in close to 70 class-action lawsuits following that data breach.
“It’s crushing to your reputation, particularly if you’re a smaller community pharmacy that serves half your town or more,” Mr. Gallagher said, with customers whose financial and/or health information is now available and could be used in cyber ransom schemes.
Even if pharmacies strengthen their defenses after a successful cyberattack—which takes time and money—the reputational stain may endure, Mr. Gallagher said, adding that the best defense is to build strong walls against the possibility of a cyberattack in the first place.
Fortunately, there are some straightforward ways to minimize the chances of a cyberattack.
“Most cyberattacks happen because of phishing schemes or a lack of two-factor authentication,” Mr. Gallagher said. It’s essential to train employees to be on alert when an email comes from an unknown sender or uses unusual language, and to never click on a link without knowing the source. The goal is to give hackers fewer access routes into internal systems.
Many pharmacies now use apps to store and transmit patient data, Mr. Gallagher noted, because this is convenient for patients. That’s good, as long as the app vendors have robust data encryption plans in place.
“Do your due diligence with all vendors,” Mr. Gallagher advised. Not every vendor is healthcare-specific, so some may not have patient data protection at the top of their agenda. If a vendor cannot answer data protection questions readily, they are likely a poor fit, Mr. Gallagher said.
Another hedge against cyberattacks is to have some paper record processes in place, so that the work of the pharmacy can continue to some extent in the event of an incident. Cyberattacks in healthcare are attractive because there is often no way to do business without getting back online, making ransom costs high.
“Have backup servers and paper backup policies and procedures in place,” Mr. Gallagher recommended, to strengthen leverage against a cyberattack.
Mr. Gallagher serves on the National Association of Specialty Pharmacy Legal Committee.