putilov_denis - stock.adobe.com
PharMerica settles data breach lawsuit for $5.2M
Long-term care pharmacy network PharMerica suffered a data breach in 2023 that impacted more than 5.8 million individuals.
PharMerica agreed to a $5.2 million settlement to resolve a class-action lawsuit stemming from a 2023 data breach that affected more than 5.8 million individuals. The settlement received preliminary approval from a U.S. District Court judge in the Western District of Kentucky, Louisville Division.
PharMerica is a Fortune 1000 company headquartered in Louisville, Kentucky. It primarily provides pharmacy services for long-term care, senior living, behavioral health and oncology settings.
In March 2023, PharMerica discovered suspicious activity within its network. It was later determined that a cyberthreat actor had accessed its computer systems and obtained personal information, including Social Security numbers, medication and health insurance information, addresses and birth dates. The Money Message ransomware group claimed responsibility for the attack.
A series of lawsuits followed the breach disclosure and were later consolidated into a single class-action complaint: Lurry v. PharMerica Corporation. The class-action lawsuit alleged that PharMerica was negligent by improperly collecting and storing patient data.
The settlement fund will contain $5.2 million and will cover all settlement administration costs, PharMerica's past and future costs of data mining to confirm membership in the settlement class, attorney's fees and any service awards for class representatives. The remaining funds can be claimed via cash payment to class members on a pro rata basis.
In addition to the settlement fund, PharMerica will pay claims for documented out-of-pocket expenses up to $10,000 per class member, along with one year of Kroll Complete Monitoring, which includes credit monitoring, dark web monitoring and identify theft restoration services.
PharMerica also agreed to implement business practice changes to better safeguard the personal information stored on its systems.
A final approval hearing will be held on May 12, 2026.
Jill Hughes has covered healthcare cybersecurity and privacy news since 2021.
