The long-term care pharmacy network has reached a settlement following a 2023 breach.
PharMerica recently agreed to pay a $5.2 million settlement to resolve a class action suit from a 2023 breach that impacted 5.8 million individuals.
According to TechTarget, in March of 2023, PharMerica discovered suspicious activity within its network and soon after determined a threat actor had accessed PharMerica’s computer network without authorization.
During the incident, the malicious actor successfully obtained the following personal information of victims: Social Security numbers, medication and health insurance information, addresses and birth dates.
Following the incident, multiple class action lawsuits were filed. On November 30th, 2023, these lawsuits were consolidated into one complaint: Lurry v. PharMerica Corporation. The lawsuit alleged that PharMerica was negligent due to improper data collection and storage and that their negligence caused harm and led to potential harm for class action members. The lawsuit also noted that 4.7 terabytes of information was stolen.
Currently, the settlement has preliminary approval from a U.S. District Court judge in the Western District of Kentucky, Louisville Division. The settlement notice notes that PharMerica will pay $5.27 million, which will go towards settlement administration costs, costs of data mining needed for victims, service awards for class representatives, attorney fees, and funds for class members. In addition to the settlement fund, PharMerica will also pay claims for documented out-of-pocket expenses, up to $10,000 per class members, and for credit and identity monitoring services. A final approval hearing is scheduled for May 12th, 2026.
The case is yet another example of the financial consequences healthcare organizations may face following a data breach. In this case, as in most settlements, PharMerica has not admitted any wrongdoing or admitted to negligently storing data, but will nevertheless pay the price for the incident. Other healthcare companies, like Solara Medical Services, have found themselves in similar situations, with Solara paying a 9.76 million settlement. Outside of the settlement, Solara also paid an additional fine to the OCR, showing that the settlement cost alone may not be the only financial repercussion for PharMerica
Data mining may be needed to confirm if a victim is a class member and confirm what information may have been impacted in the breach.
The incident has been linked to PharMerica’s subsidiary, Amerita. No official reports state what caused the breach, but ransomware group Money Message took credit for the incident, leading to speculation that the incident was a ransomware attack against Amerita’s IT network.