in Newswire Published on June 13, 2023

PharMerica, BrightSpring Hit with Class Action Over March 2023 Cyberattack Affecting 5.8M [UPDATE]

by Kelsey McCroskey

Last Updated on February 12, 2026

View Comments

Marallo v. PharMerica Corporation et al.

Filed: June 9, 2023 § 3:23-cv-00298-CHB

Read Complaint

A class action claims pharmacy services provider PharMerica Corporation and parent company Res-Care, Inc. failed to protect the personal information of 5,815,591 people during a March 2023 cyberattack.

Defendant(s)

PharMerica Corporation Res-Care, Inc.

Law(s)

State(s)

Kentucky

Categories

Technology Medical/Health Privacy Data Breach

February 12, 2026 – $5.275M PharMerica Settlement Ends Litigation Over March 2023 Data Breach

The litigation detailed on this page was consolidated with four other cases that made similar allegations against PharMerica on July 18, 2023. Together, the consolidated lawsuit has settled for $5.275 million and offers cash and credit monitoring to those who may have been impacted by the March 2023 PharMerica data breach.

Learn more about the agreement with ClassAction.org’s write-up on the PharMerica class action settlement.

Want to stay in the loop on class action lawsuits that matter to you? Sign up for ClassAction.org’s free weekly newsletter.

A proposed class action claims pharmacy services provider PharMerica Corporation and parent company Res-Care, Inc. (which does business as BrightSpring Health Services) failed to protect the personal information of 5,815,591 people during a March 2023 cyberattack.

Did you get a data breach notice from PharMerica? Let us know here.

The 28-page lawsuit says that on March 14, PharMerica and Res-Care discovered that an unauthorized third party had accessed PharMerica’s network systems between March 12 and 13. Later that month, ransomware gang Money Message apparently claimed responsibility for the cyberattack and began publishing what the group purported to be 4.7 terabytes of stolen data on the dark web, the suit relays.

According to the case, the information compromised in the breach included customers’ names, dates of birth, Social Security numbers, medication information and health insurance details.

The complaint argues that the Kentucky-based companies—which provide long-term and specialized pharmacy and health services to seniors, behavioral rehabilitation patients, hospice populations and more—negligently failed to implement sufficient cybersecurity measures to protect their customers’ private data from unauthorized disclosure.

Although PharMerica and BrightSpring explicitly state on their respective websites that they are aware of the risk of data breaches, will follow applicable privacy regulations and will use “reasonable methods” to protect patients’ information, the companies nonetheless failed to secure customers’ sensitive data against ransomware attacks, putting millions at greater risk of medical fraud and identity theft, the filing alleges.

The plaintiff, a South Carolina resident, says she has already felt the effects of the data breach, which resulted in the publication of her sensitive information on the dark web, the suit shares. In early May of this year, the woman’s bank account was fraudulently charged approximately $600, the case says.

The lawsuit looks to represent anyone whose personally identifiable information or personal health information was compromised in the PharMerica data breach, including those who were sent a notice of the incident.

Did you get a data breach notice from PharMerica? Let us know here.

Case Spotlight

Video Game Addiction Lawsuits

If your child suffers from video game addiction — including Fortnite addiction or Roblox addiction — you may be able to take legal action. Gamers 18 to 22 may also qualify.

Learn more:Video Game Addiction Lawsuit

Kratom 7-OH Lawsuits

Anyone who has used 7-OH kratom products and suffered a serious injury, such as overdose, heart attack or addiction, may be able to take legal action.

Read more: Kratom 7-OH Lawsuits

How Do I Join a Class Action Lawsuit?

Did you know there's usually nothing you need to do to join, sign up for, or add your name to new class action lawsuits when they're initially filed?

Read more here: How Do I Join a Class Action Lawsuit?

ClassAction.org Newsletter

Stay Current

Sign Up For
Our Newsletter

New cases and investigations, settlement deadlines, and news straight to your inbox.

Open Document
Last Updated on February 12, 2026 — 3:53 PM

Kelsey McCroskey

kelsey@classaction.org

Kelsey works primarily on ClassAction.org’s newswire, reporting on cases as they happen.

About ClassAction.org

ClassAction.org is a group of online professionals (designers, developers and writers) with years of experience in the legal industry.

Learn More

Before commenting, please review our comment policy.