PharMerica Pays Over $5.2 Million to Settle Class Action Data Breach Lawsuit
PharMerica has agreed to settle a class action lawsuit over a 2023 hacking incident and data breach that affected 5.8 million individuals. In addition to paying $5.2 million to cover costs and benefits, PharMerica has committed to investing millions to strengthen its security posture.
PharMerica, a Fortune 1000 pharmacy services provider, experienced a cyberattack in March 2023 for which the Money Message ransomware group took credit. The group claimed to have exfiltrated 4.7 terabytes of data in the attack, and it proceeded to leak the stolen data on its dark web data leak site, including files containing patient information. Data compromised in the attack included names, addresses, birth dates, medications, Social Security numbers, and health insurance information.
Several class action lawsuits were filed against PharMerica in response to the data breach, alleging negligent collection and storage of patient data. The lawsuits had overlapping claims and were consolidated into a single complaint – Lurry v. PharMerica Corporation – in the United States District Court for the Western District of Kentucky, Louisville Division. PharMerica denies all claims of liability and wrongdoing and sought to have the lawsuit dismissed. On January 12, 2024, a federal judge partially granted the motion to dismiss; however, she allowed the lawsuit to proceed.
For the negligence claim, the judge ruled that the plaintiffs sufficiently alleged damages arising from the breach; however, she dismissed the claims of breach of implied contract for certain plaintiffs who had no direct relationship with PharMerica, the claim of breach of fiduciary duty, and certain claims under California and Michigan law.
Under the terms of the settlement, PharMerica has agreed to pay $5,275,000 into a settlement fund, which will be used to pay attorneys’ fees, settlement administration costs, PharMerica’s past and future costs of data mining to identify membership to the settlement class, service awards for the six class representatives, and benefits for the class members.
Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $10,000 per class member, and are also entitled to claim a one-year membership to a credit monitoring, dark web monitoring, payday loan monitoring, credit score reporting, fraud consultation, and identity theft resolution service. That package also includes a $1 million identity theft insurance policy. In addition, class members may claim a one-time cash payment, which will be paid pro rata and will depend on the number of claims received. In addition to that settlement, PharMerica has agreed to change its business practices and improve security to better protect patient data in its possession.
The settlement received preliminary approval from the court on January 12, 2026. The deadline for objection and opting out is April 12, 2025. Claims must be submitted by April 27, 2026, and the final fairness hearing has been scheduled for May 12, 2026.
The post PharMerica Pays Over $5.2 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.
Anthropic Launches Claude for Healthcare, Days After ChatGPT Health – Cloudwards.net
Do we Take HIPAA too Far? Understanding the Intent of the Law – WorkersCompensation.com
Do we Take HIPAA too Far? Understanding the Intent of the Law WorkersCompensation.com
Capital Pulse Achieves SOC 2 Type 2 and HIPAA Compliance, Setting New Standard for Healthcare Financial Security – PRWeb
Meghan O’Connor, Sarah Erdmann and Simone Colgan Dunlap Outline Implications of HIPAA-Related Settlement in Article for Journal of Health Care Compliance – Quarles
Emergent Announces HIPAA Compliance Certification Across Its Public Safety Solution – ACCESS Newswire
Emergent Announces HIPAA Compliance Certification Across Its Public Safety Solution – Yahoo Finance
University of Hawaii Cancer Center Confirms Patient Data Stolen in Ransomware Attack
University of Hawaii Cancer Center has recently disclosed an August 2025 ransomware attack involving the acquisition of the sensitive data of study participants. University of Hawaii Cancer Center, part of the University of Hawaii (UH) System, is located in the Kakaʻako district of Honolulu and is the only National Cancer Institute-designated center in the state. According to the cancer center’s press release and breach reports to state attorneys general, unauthorized access to its computer network was discovered on or around August 31, 2025.
The affected servers were isolated, and an investigation was launched to determine the nature and scope of the unauthorized activity. University of Hawaii Cancer Center confirmed that a ransomware group had breached its network, encrypted files, and exfiltrated research files containing patient information. University of Hawaii Cancer Center said its electronic medical record system was unaffected; however, files were obtained that contained patients’ protected health information.
The majority of the stolen files related to a single research project. The review of those files revealed that some contained the Social Security numbers of research participants dating back to the 1990s. The University of Hawaii Cancer Center said that in the 1990s, Social Security numbers were used as patient identifiers; however, that practice has since been halted, and alternative identifiers are now used.
Due to the highly sensitive nature of the stolen data, UH made the difficult decision to engage with the threat actor. University of Hawaii Cancer Center said it worked with third-party cybersecurity experts to obtain a decryption tool to recover the encrypted data, and paid a ransom to prevent the publication of the stolen data. Assurances have been received that all of the stolen data has been deleted.
Files unrelated to the research study are still being reviewed to determine if they contain any patient data. Notification letters have yet to be sent to the affected individuals, but they will be mailed once up-to-date contact information has been obtained. University of Hawaii Cancer Center said the affected individuals will be offered complimentary credit monitoring and identity theft protection services.
Even though the ransom was paid, due to the extent of file encryption, it has taken some time to recover the encrypted files and restore the affected systems. Additional security measures have been implemented to strengthen security, including replacing its existing firewall with a new firewall with additional security controls and installing new endpoint protection software with 24/7 monitoring. The University of Hawaii Cancer Center said third-party cybersecurity experts have assessed and validated the cancer center’s security controls.
The incident has been reported to regulators; however, since the file review has not yet concluded, the number of affected individuals has yet to be disclosed.
The post University of Hawaii Cancer Center Confirms Patient Data Stolen in Ransomware Attack appeared first on The HIPAA Journal.