AllCare Plus Pharmacy Settles Class Action Data Breach Lawsuit – The HIPAA Journal
AllCare Plus Pharmacy Settles Class Action Data Breach Lawsuit The HIPAA Journal
AllCare Plus Pharmacy Settles Class Action Data Breach Lawsuit
A settlement has been agreed to resolve litigation stemming from a 2022 data breach at AllCare Plus Pharmacy. The Northborough, MA-based pharmacy detected the security incident on June 21, 2022, when suspicious activity was identified in an employee’s email account.
The investigation confirmed that hackers gained access to the email account after the employee responded to a phishing email. The review of the account confirmed it contained names, addresses, birth dates, Social Security numbers, driver’s license and other ID numbers, financial information, and limited health and health insurance information related to treatment and prescriptions. The breach was reported to the Maine Attorney General as affecting 5,971 individuals.
A lawsuit – Celeste Brown, et al. v. AllCare Plus Pharmacy LLC – was filed in the Suffolk County Superior Court of the Commonwealth of Massachusetts over the data breach, claiming the data breach occurred due to the failure to implement appropriate cybersecurity measures and follow industry standard security best practices.
According to the lawsuit, had those measures been implemented, the data breach could have been prevented. AllCare Plus Pharmacy maintains that there was no wrongdoing and that it had meritorious defenses in place; however, the pharmacy chose to settle the litigation to prevent further legal costs and to avoid the risks and uncertainty associated with continuing to fight the litigation.
Under the terms of the settlement, individuals who were notified that their data was compromised may submit claims for reimbursement of documented out-of-pocket losses. Claims may be submitted for ordinary losses up to a maximum of $750 per class member, which can include communication costs, credit monitoring costs, attorneys’ fees, accountants’ fees, and miscellaneous expenses.
Claims may also be submitted for extraordinary losses, such as losses due to identity theft and fraud, up to a maximum of $5,000 per class member. Class members may also claim up to five hours of lost time dealing with the consequences of the data breach at $20 per hour. Class members have been offered two years of complimentary credit monitoring and identity theft protection services. Class members who do not wish to submit a claim or receive credit monitoring services may choose to receive a cash payment of $50.
The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for August 27, 2025. The deadline for exclusion from the settlement, objection to the settlement, and submitting claims is July 3, 2025. AllCare Plus Pharmacy said it has made security changes since the incident and will continue to review and update those security measures.
The post AllCare Plus Pharmacy Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.
Stakes are higher in new HIPAA Security Rule – Healthcare Finance News
Stakes are higher in new HIPAA Security Rule Healthcare Finance News
Verisource Services Increases Data Breach Victim Count to 4 Million – The HIPAA Journal
Verisource Services Increases Data Breach Victim Count to 4 Million The HIPAA Journal
Verisource Services Increases Data Breach Victim Count to 4 Million
Verisource Services, an employee benefits administration service provider, has determined that a previously announced data breach was far worse than initially thought and has affected up to 4 million individuals. The Houston, Texas-based company detected a hacking incident on February 28, 2024, that disrupted access to some of its systems. Third-party cybersecurity and incident response experts were engaged to investigate the incident and determine the nature and scope of the unauthorized activity.
The forensic investigation confirmed hackers had access to its network and exfiltrated files on February 27, 2024. At the time of the initial announcement, Verisource Services said names, dates of birth, genders, and Social Security numbers had been stolen. The affected individuals included employees and dependents of clients who used its services, which include HR outsourcing, benefits enrollment, billing, and administrative services.
The data breach was initially reported as affecting 1,382 individuals, but as the investigation progressed, it became clear that the breach was worse than initially thought. In August 2024, the data breach was reported to the HHS’ Office for Civil Rights (OCR) as involving the protected health information of 112,726 individuals. The most recent notification to the Maine Attorney General indicates up to 4 million individuals have been affected, a sizeable increase from previous estimates. The OCR breach portal still lists the incident as affecting 112,726 patients and plan members of its HIPAA-regulated entity clients, although that total may well be updated in the coming days.
Verisource Services explained in the breach notice that the data review was not completed until April 17, 2025, almost 14 months after the security incident was detected. Verisource Services reported the security incident to the Federal Bureau of Investigation, and several additional security measures have been implemented to improve its security posture. Notification letters had previously been sent to some affected individuals; however, the bulk of the notification letters have only recently been mailed. Verisource Services said complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, who will also be protected with a $1,000,000 identity theft insurance policy.
Since sensitive data was stolen many months ago, data may already have been misused. In addition to signing up for the credit monitoring and identity theft protection services, affected individuals should also check their account statements for signs of data misuse going back to February 2024. Verisource Services was already facing several class action lawsuits over the data breach. Now that the breach total has been substantially increased, further lawsuits are expected to be filed. The lawsuits already filed alleged that Verisource Services was negligent due to the failure to implement reasonable and appropriate cybersecurity measures and follow industry-standard cybersecurity best practices. The lawsuits seek a jury trial, attorneys’ fees, and compensatory and punitive damages.
The post Verisource Services Increases Data Breach Victim Count to 4 Million appeared first on The HIPAA Journal.
What to know about HIPAA security updates – MobiHealthNews
What to know about HIPAA security updates MobiHealthNews
Prepare for more scrutiny of risk assessments with HIPAA security rule – Healthcare IT News
Prepare for more scrutiny of risk assessments with HIPAA security rule Healthcare IT News
Endue Software Confirms Data Breach Affecting Multiple Providers – The HIPAA Journal
Endue Software Confirms Data Breach Affecting Multiple Providers The HIPAA Journal
Endue Software Confirms Data Breach Affecting Multiple Providers – The HIPAA Journal
Endue Software Confirms Data Breach Affecting Multiple Providers The HIPAA Journal