PharMerica, BrightSpring Hit with Class Action Over March 2023 Cyberattack Affecting 5.8M
Last Updated on June 19, 2023
Marallo v. PharMerica Corporation et al.
Filed: June 9, 2023 ◆§ 3:23-cv-00298-CHB
A class action claims pharmacy services provider PharMerica Corporation and parent company Res-Care, Inc. failed to protect the personal information of 5,815,591 people during a March 2023 cyberattack.
A proposed class action claims pharmacy services provider PharMerica Corporation and parent company Res-Care, Inc. (which does business as BrightSpring Health Services) failed to protect the personal information of 5,815,591 people during a March 2023 cyberattack.
Did you get a data breach notice from PharMerica? Let us know here.
The 28-page lawsuit says that on March 14, PharMerica and Res-Care discovered that an unauthorized third party had accessed PharMerica’s network systems between March 12 and 13. Later that month, ransomware gang Money Message apparently claimed responsibility for the cyberattack and began publishing what the group purported to be 4.7 terabytes of stolen data on the dark web, the suit relays.
According to the case, the information compromised in the breach included customers’ names, dates of birth, Social Security numbers, medication information and health insurance details.
The complaint argues that the Kentucky-based companies—which provide long-term and specialized pharmacy and health services to seniors, behavioral rehabilitation patients, hospice populations and more—negligently failed to implement sufficient cybersecurity measures to protect their customers’ private data from unauthorized disclosure.
Although PharMerica and BrightSpring explicitly state on their respective websites that they are aware of the risk of data breaches, will follow applicable privacy regulations and will use “reasonable methods” to protect patients’ information, the companies nonetheless failed to secure customers’ sensitive data against ransomware attacks, putting millions at greater risk of medical fraud and identity theft, the filing alleges.
The plaintiff, a South Carolina resident, says she has already felt the effects of the data breach, which resulted in the publication of her sensitive information on the dark web, the suit shares. In early May of this year, the woman’s bank account was fraudulently charged approximately $600, the case says.
The lawsuit looks to represent anyone whose personally identifiable information or personal health information was compromised in the PharMerica data breach, including those who were sent a notice of the incident.
Did you get a data breach notice from PharMerica? Let us know here.
Hair Relaxer Lawsuits
Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.
Read more here: Hair Relaxer Cancer Lawsuits
How Do I Join a Class Action Lawsuit?
Did you know there's usually nothing you need to do to join, sign up for, or add your name to new class action lawsuits when they're initially filed?
Read more here: How Do I Join a Class Action Lawsuit?
Stay Current
Sign Up For
Our Newsletter
New cases and investigations, settlement deadlines, and news straight to your inbox.
Before commenting, please review our comment policy.