Class Action Filed Over March 2023 BrightSpring Health Services Data Breach Affecting Roughly 535K People [DISMISSED]

New to ClassAction.org? Read our Newswire Disclaimer

BrightSpring Health Services faces a proposed class action that alleges the specialized/chronic care provider is to blame for a March 2023 data breach believed to have impacted roughly 535,000 people, including current and former employees. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 51-page suit says data compromised in the incident included the full names, addresses, dates of birth and Social Security numbers of people whose personal information was maintained on BrightSpring’s computer systems. 

According to the case, BrightSpring maintained the data in a reckless manner, unencrypted, unredacted and without adequate safeguards. 

“Plaintiff’s and Class Members’ identities are now at risk because of Defendant’s negligent conduct because the [personally identifiable information] that [BrightSpring] collected is now in the hands of data thieves,” the lawsuit emphasizes. 

Around June 21 of this year, BrightSpring began to send to data breach victims a notice that stated the company learned of suspicious activity on its computer network in mid-March, the filing says. The company relayed that its investigation revealed that an unknown third party accessed its computer systems from March 12 to March 13, 2023, and that certain personal information, including employee details, may have been obtained during the incident. 

The case notes, however, that the BrightSpring data breach notice lacked an explanation as to why the company waited until three months after the incident to contact victims, much less details on the root cause of the intrusion and the measures taken to ensure such an incident does not happen again. 

The suit contends that the BrightSpring data breach was a targeted cyberattack, particularly given the defendant’s status as a healthcare services company in possession of myriad personal information on its computer systems.

As the case tells it, BrightSpring’s offer of 12 months of identity theft monitoring services to data breach victims is “wholly inadequate” as it fails to compensate current and former employees for the ongoing risk of fraud and the disclosure of their information. 

The lawsuit looks to cover all persons whose personally identifiable information was maintained on BrightSpring’s computer systems that were compromised in the March 2023 data breach, including those who received a notice letter from the company. 

Earlier this year, BrightSpring parent company Res-Care and PharMerica were hit with a proposed class action over a March 2023 cyberattack that allegedly affected more than 5.8 million people.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.