PharMerica and its subsidiary Amerita’s Specialty Infusion Services (Amerita) are already facing class action lawsuits after patients received a September 5, 2023, data breach notification letter. When the businesses detected suspicious activity on both the PharMerica and Amerita networks, a forensic investigation determined that a threat actor had gained access to the systems sometime in early March 2023, allowing unauthorized access to approximately 5.8 million individuals. The type of information accessible included names, addresses, diagnoses, medications, and health insurance. The threat actor was identified as the Money Message ransomware group and the group posted data on its leak site from the 4.7 terabytes of stolen data.

The lawsuits have been filed against both PharMerica and Amerita by individuals whose personal and health information were compromised in the attack. The lawsuits allege failure of the businesses to implement reasonable and appropriate security safeguards to protect patient information and unnecessarily delaying the issuing of notification letters to individuals. The plaintiff claims to have suffered diminution of the value of his information, loss of privacy, and impending injury from increased risk of identity theft and fraud, as well as time and money spent on mitigating harm caused by the breach. The plaintiff also alleges that the threat of his information being published and available on the dark web has caused severe anxiety. The lawsuits seek compensatory, statutory, and nominal damages as well as legal costs. Additionally, the lawsuit seeks a court order requiring the businesses to implement cybersecurity safeguards to protect patient information. To view the Amerita class action click here. To view the PharMerica class action click here.