Legal News about HIPAA Compliance

AllCare Plus Pharmacy Settles Class Action Data Breach Lawsuit

A settlement has been agreed to resolve litigation stemming from a 2022 data breach at AllCare Plus Pharmacy. The Northborough, MA-based pharmacy detected the security incident on June 21, 2022, when suspicious activity was identified in an employee’s email account.

The investigation confirmed that hackers gained access to the email account after the employee responded to a phishing email. The review of the account confirmed it contained names, addresses, birth dates, Social Security numbers, driver’s license and other ID numbers, financial information, and limited health and health insurance information related to treatment and prescriptions. The breach was reported to the Maine Attorney General as affecting 5,971 individuals.

A lawsuit – Celeste Brown, et al. v. AllCare Plus Pharmacy LLC – was filed in the Suffolk County Superior Court of the Commonwealth of Massachusetts over the data breach, claiming the data breach occurred due to the failure to implement appropriate cybersecurity measures and follow industry standard security best practices.

According to the lawsuit, had those measures been implemented, the data breach could have been prevented. AllCare Plus Pharmacy maintains that there was no wrongdoing and that it had meritorious defenses in place; however, the pharmacy chose to settle the litigation to prevent further legal costs and to avoid the risks and uncertainty associated with continuing to fight the litigation.

Under the terms of the settlement, individuals who were notified that their data was compromised may submit claims for reimbursement of documented out-of-pocket losses. Claims may be submitted for ordinary losses up to a maximum of $750 per class member, which can include communication costs, credit monitoring costs, attorneys’ fees, accountants’ fees, and miscellaneous expenses.

Claims may also be submitted for extraordinary losses, such as losses due to identity theft and fraud, up to a maximum of $5,000 per class member. Class members may also claim up to five hours of lost time dealing with the consequences of the data breach at $20 per hour. Class members have been offered two years of complimentary credit monitoring and identity theft protection services. Class members who do not wish to submit a claim or receive credit monitoring services may choose to receive a cash payment of $50.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for August 27, 2025. The deadline for exclusion from the settlement, objection to the settlement, and submitting claims is July 3, 2025. AllCare Plus Pharmacy said it has made security changes since the incident and will continue to review and update those security measures.

The post AllCare Plus Pharmacy Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Ransomware Attack on Frederick Health Medical Group Affects 934,000 Patients

Frederick Health Medical Group is facing several potential class action lawsuits over a recent data breach that affected more than 900,000 patients.  Frederick Health Medical Group, a Maryland-based healthcare group, announced on January 27, 2025, that it had fallen victim to a ransomware attack and had called in cybersecurity experts to investigate the incident. At the time, it was unclear to what extent patient data had been compromised in the incident, but it has now been confirmed that the electronic protected health information of 934,326 patients was stolen.

According to its March 28, 2025, substitute breach notice, the ransomware group stole data such as patient names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, medical record numbers, health insurance information, and/or clinical information related to patients’ care. The electronic medical record system was not compromised in the attack. The name of the ransomware group behind the attack was not disclosed, and no ransomware group is known to have claimed responsibility for the attack. It is also unclear if the ransom was paid. In late March, individual notification letters started to be mailed to the affected individuals, and complimentary credit monitoring and identity theft protection services have been made available. Frederick Health Medical Group said additional cybersecurity safeguards have been implemented to better protect patient data and monitor its systems for unauthorized access.

At least five class action lawsuits have already been filed in response to the data breach. The lawsuits all assert similar claims, including negligence for failing to implement reasonable and appropriate cybersecurity measures to safeguard patient data and a failure to follow industry-standard cybersecurity best practices. The lawsuits also claim that the breach notification letters failed to disclose adequate information about the data breach, including the steps taken to prevent further attacks and even the types of data compromised in the incident. The lawsuits name Frederick Health Medical Group patients Ernest Farkas, Joseph Kingsman, Jaquelyn Chaillet, James Shoemaker, Wesley Kibler, and Jennifer McCreary as plaintiffs.

The lawsuits claim patients have suffered harm from the data breach, including an elevated and ongoing risk of identity theft and fraud, and out-of-pocket costs mitigating the harmful effects of the data breach. The lawsuits seek a jury trial, attorneys’ fees, and compensatory and punitive damages.

The post Ransomware Attack on Frederick Health Medical Group Affects 934,000 Patients appeared first on The HIPAA Journal.