Fortune 1000 pharmacy services provider, PharMerica, decided to resolve a class action litigation associated with a hacking incident resulting in a data breach in 2023 that impacted 5.8 million people. Besides paying $5.2 million for costs and benefits, the company stated it will spend money on improving its security posture.
In March 2023, PharMerica suffered a cyberattack. The Money Message ransomware group announced that it is behind the attack and the exfiltration of 4.7 terabytes of data. The group leaked the stolen data files that include patient data on its dark web data leak site. Breached data during the attack included names, birth dates, addresses, prescription drugs, Social Security numbers, and medical insurance data.
In response to the data breach, PharMerica faced several class action lawsuits that alleged irresponsible collection and keeping of patient information. The lawsuits had similar claims and so combined as Lurry v. PharMerica Corporation lawsuit filed in the United States District Court for the Western District of Kentucky, Louisville Division. The defendant does not admit any claims of liability and wrongdoing and filed a dismissal of the lawsuit. On January 12, 2024, a federal judge partly approved the motion to dismiss; nonetheless, she granted the continuing of the lawsuit.
Regarding the negligence claim, the judge decided that the plaintiffs adequately alleged damages due to the breach. Nevertheless, she dismissed some claims covered by California and Michigan legislation, the claims of breach of implied contract for selected plaintiffs who did not have direct association with PharMerica, and the claim of breach of fiduciary duty.
The terms of the settlement require PharMerica to create a $5,275,000 settlement fund, which will cover attorneys’ fees, settlement management expenses, PharMerica’s past and future expenditures for data mining to indicate membership to the settlement class, the six class representatives’ service awards, and class members’ benefits.
Class members could file a claim for refund of documented, unreimbursed expenses because of the data breach up to $10,000 per class member, and are additionally eligible to claim a year of membership for the following services: fraud consultation, identity theft resolution, credit monitoring, dark web monitoring, credit score reporting, and payday loan monitoring. That package likewise includes an insurance policy worth $1 million. Class members could also claim a one-time cash payment, adjustable pro rata depending on how many valid claims are submitted. Besides that settlement, PharMerica decided to adjust its business practices and strengthen security to better secure patient information in its safekeeping. Employees may need to undergo HIPAA training.
The court gave preliminary approval of the settlement on January 12, 2026. The last day to file an objection to or opt out of the settlement is April 12, 2025. Class members may file claims on or before April 27, 2026. The schedule of the final fairness hearing is May 12, 2026.
