in Newswire Published on June 13, 2023

PharMerica, BrightSpring Hit with Class Action Over March 2023 Cyberattack Affecting 5.8M

by Kelsey McCroskey

Last Updated on June 19, 2023

View Comments

Marallo v. PharMerica Corporation et al.

Filed: June 9, 2023 § 3:23-cv-00298-CHB

Read Complaint

A class action claims pharmacy services provider PharMerica Corporation and parent company Res-Care, Inc. failed to protect the personal information of 5,815,591 people during a March 2023 cyberattack.

Defendant(s)

PharMerica Corporation Res-Care, Inc.

Law(s)

State(s)

Kentucky

Categories

Technology Medical/Health Privacy Data Breach

A proposed class action claims pharmacy services provider PharMerica Corporation and parent company Res-Care, Inc. (which does business as BrightSpring Health Services) failed to protect the personal information of 5,815,591 people during a March 2023 cyberattack.

Did you get a data breach notice from PharMerica? Let us know here.

The 28-page lawsuit says that on March 14, PharMerica and Res-Care discovered that an unauthorized third party had accessed PharMerica’s network systems between March 12 and 13. Later that month, ransomware gang Money Message apparently claimed responsibility for the cyberattack and began publishing what the group purported to be 4.7 terabytes of stolen data on the dark web, the suit relays.

According to the case, the information compromised in the breach included customers’ names, dates of birth, Social Security numbers, medication information and health insurance details.

The complaint argues that the Kentucky-based companies—which provide long-term and specialized pharmacy and health services to seniors, behavioral rehabilitation patients, hospice populations and more—negligently failed to implement sufficient cybersecurity measures to protect their customers’ private data from unauthorized disclosure.

Although PharMerica and BrightSpring explicitly state on their respective websites that they are aware of the risk of data breaches, will follow applicable privacy regulations and will use “reasonable methods” to protect patients’ information, the companies nonetheless failed to secure customers’ sensitive data against ransomware attacks, putting millions at greater risk of medical fraud and identity theft, the filing alleges.

The plaintiff, a South Carolina resident, says she has already felt the effects of the data breach, which resulted in the publication of her sensitive information on the dark web, the suit shares. In early May of this year, the woman’s bank account was fraudulently charged approximately $600, the case says.

The lawsuit looks to represent anyone whose personally identifiable information or personal health information was compromised in the PharMerica data breach, including those who were sent a notice of the incident.

Did you get a data breach notice from PharMerica? Let us know here.

Case Spotlight

Hair Relaxer Lawsuits

Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.

Read more here: Hair Relaxer Cancer Lawsuits

ClassAction.org Newsletter

Stay Current

Sign Up For
Our Newsletter

New cases and investigations, settlement deadlines, and news straight to your inbox.

This browser does not support PDFs. Please download the PDF to view it: Download PDF.
Open Document
Last Updated on June 19, 2023 — 11:53 AM

Kelsey McCroskey

kelsey@classaction.org

Kelsey works primarily on ClassAction.org’s newswire, reporting on cases as they happen.

About ClassAction.org

ClassAction.org is a group of online professionals (designers, developers and writers) with years of experience in the legal industry.

Learn More

Before commenting, please review our comment policy.