PharMerica and its subsidiary Amerita’s Specialty Infusion Services (Amerita) are already facing class action lawsuits after patients received a September 5, 2023, data breach notification letter. When the businesses detected suspicious activity on both the PharMerica and Amerita networks, a forensic investigation determined that a threat actor had gained access to the systems sometime in early March 2023, allowing unauthorized access to approximately 5.8 million individuals. The type of information accessible included names, addresses, diagnoses, medications, and health insurance. The threat actor was identified as the Money Message ransomware group and the group posted data on its leak site from the 4.7 terabytes of stolen data.

The lawsuits have been filed against both PharMerica and Amerita by individuals whose personal and health information were compromised in the attack. The lawsuits allege failure of the businesses to implement reasonable and appropriate security safeguards to protect patient information and unnecessarily delaying the issuing of notification letters to individuals. The plaintiff claims to have suffered diminution of the value of his information, loss of privacy, and impending injury from increased risk of identity theft and fraud, as well as time and money spent on mitigating harm caused by the breach. The plaintiff also alleges that the threat of his information being published and available on the dark web has caused severe anxiety. The lawsuits seek compensatory, statutory, and nominal damages as well as legal costs. Additionally, the lawsuit seeks a court order requiring the businesses to implement cybersecurity safeguards to protect patient information. To view the Amerita class action click here. To view the PharMerica class action click here.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.