PharMerica Pays Over $5.2 Million to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

PharMerica has agreed to settle a class action lawsuit over a 2023 hacking incident and data breach that affected 5.8 million individuals. In addition to paying $5.2 million to cover costs and benefits, PharMerica has committed to investing millions to strengthen its security posture.

PharMerica, a Fortune 1000 pharmacy services provider, experienced a cyberattack in March 2023 for which the Money Message ransomware group took credit. The group claimed to have exfiltrated 4.7 terabytes of data in the attack, and it proceeded to leak the stolen data on its dark web data leak site, including files containing patient information. Data compromised in the attack included names, addresses, birth dates, medications, Social Security numbers, and health insurance information.

Several class action lawsuits were filed against PharMerica in response to the data breach, alleging negligent collection and storage of patient data. The lawsuits had overlapping claims and were consolidated into a single complaint – Lurry v. PharMerica Corporation – in the United States District Court for the Western District of Kentucky, Louisville Division. PharMerica denies all claims of liability and wrongdoing and sought to have the lawsuit dismissed. On January 12, 2024, a federal judge partially granted the motion to dismiss; however, she allowed the lawsuit to proceed.

For the negligence claim, the judge ruled that the plaintiffs sufficiently alleged damages arising from the breach; however, she dismissed the claims of breach of implied contract for certain plaintiffs who had no direct relationship with PharMerica, the claim of breach of fiduciary duty, and certain claims under California and Michigan law.

Under the terms of the settlement, PharMerica has agreed to pay $5,275,000 into a settlement fund, which will be used to pay attorneys’ fees, settlement administration costs, PharMerica’s past and future costs of data mining to identify membership to the settlement class, service awards for the six class representatives, and benefits for the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $10,000 per class member, and are also entitled to claim a one-year membership to a credit monitoring, dark web monitoring, payday loan monitoring, credit score reporting, fraud consultation, and identity theft resolution service. That package also includes a $1 million identity theft insurance policy. In addition, class members may claim a one-time cash payment, which will be paid pro rata and will depend on the number of claims received. In addition to that settlement, PharMerica has agreed to change its business practices and improve security to better protect patient data in its possession.

The settlement received preliminary approval from the court on January 12, 2026. The deadline for objection and opting out is April 12, 2025. Claims must be submitted by April 27, 2026, and the final fairness hearing has been scheduled for May 12, 2026.

The post PharMerica Pays Over $5.2 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

University of Hawai’i Cancer Center: 1.24 Million Individuals Affected by 2025 Ransomware Attack

Posted by Steve Alder

The University of Hawai’i Cancer Center (UHCC) has confirmed that up to 1.24 million individuals may have been affected by its August 2025 ransomware attack. The HIPAA Journal previously reported on the incident in January 2026 (see below), when the attack and data breach were first announced; however, at the time, the file review was ongoing, and the number of affected individuals had yet to be announced.

UHCC explained that the notification delay was due to the volume of data impacted, the complexity of the encrypted data, and the age of the studies and records. In a report to the state legislature, UHCC provided additional information about the attack and data breach, confirming that the ransomware attack had no impact on patient care, clinical trials operations, its Basic Science and Prevention Division, and there was no unauthorized access to student records.

The forensic investigation determined that the threat actor accessed the UHCC Epidemiology Division’s research files, exfiltrated files, and encrypted data. The initial findings of the investigation found that a majority of the affected files related to its decades-long Multi Ethnic Cohort (DEC) Study, which mostly contained research data with no personal information about the study participants.

Further investigation determined that some of the files in the impacted data contained Social Security numbers and driver’s license numbers of individuals recruited for that study between 1993 and 1996. UHCC recruited more than 215,000 individuals from Hawai’i and Los Angeles, CA, for that study. UHCC began compiling a list of names and obtained mailing addresses for all potentially affected individuals and has now mailed 87,493 notification letters to the affected study participants. They have been offered 12 months of complimentary credit monitoring and identity theft protection services.

As the review of the impacted files continued, UHCC identified names and Hawaiʻi State driver’s license numbers in the impacted data. They had been collected in the year 2000 from the State Department of Transportation, plus voter registration information collected in the year 1998 from the City & County of Honolulu. At that time, Social Security numbers were commonly used as driver’s license numbers and voter registration numbers, and government departments freely provided those lists. The lists were used by its researchers to recruit study participants and for associated research purposes. UHCC also identified Social Security numbers and health-related information obtained for epidemiological studies of diet and cancer. Across these additional files, UHCC identified 1,153,527 potentially affected individuals, in addition to the 87,493 individuals who were notified by mail.

Under state law, if more than 200,000 individuals are affected by a data breach, if the cost of mailing notifications exceeds $100,000, or in cases where sufficient contact information is not held, electronic notifications are permitted. UHCC located email addresses for approximately 900,000 individuals out of the 1,153,527 potentially affected individuals, and has emailed notifications to those individuals. A substitute breach notice has been added to the UHCC website to serve as notice for the individuals who could not be emailed, and statewide media has been notified.

UHCC has established a dedicated call center for individuals to make contact for further information about the impacted data and to request credit monitoring services. The call center – (844) 443-0842 – is manned Monday to Friday, 8:30 a.m. to 9 p.m. Central Time (excluding holidays). The data review is not yet concluded; however, UHCC is confident that any further personal or protected health information that has yet to be identified will be minimal. Should further individuals be identified, they will be notified separately.

UHCC has confirmed that it has implemented “extensive cybersecurity and governance enhancements” in response to the ransomware attack and data breach and has shared information about those measures in its detailed breach notice. UHCC lists several technical measures that have been implemented or enhanced, and to improve information security oversight, a new Information Security Governance Council for Research has been established to coordinate with research-related cybersecurity, and a new Information Security Task Force has been established, which is responsible for updating policies, strengthening cyber roles and responsibilities, and recommending enterprise‑level controls and investments.

“This cyberattack requires a comprehensive, systemwide response. I have initiated a full review of information technology systems across all 10 campuses to ensure we are strengthening protections wherever needed,” said UH President Wendy Hensel. “We will take a holistic approach, identify areas requiring additional investment, and move forward with those improvements. Safeguarding the data entrusted to us is essential to our mission and our responsibility to the people of Hawaiʻi.”

January 15, 2026: University of Hawai’i Cancer Center Confirms Patient Data Stolen in Ransomware Attack

The University of Hawai’i Cancer Center has recently disclosed an August 2025 ransomware attack involving the acquisition of the sensitive data of study participants. University of Hawai’i Cancer Center, part of the University of Hawai’i (UH) System, is located in the Kakaʻako district of Honolulu and is the only National Cancer Institute-designated center in the state. According to the cancer center’s press release and breach reports to state attorneys general, unauthorized access to its computer network was discovered on or around August 31, 2025.

The affected servers were isolated, and an investigation was launched to determine the nature and scope of the unauthorized activity. University of Hawai’i Cancer Center confirmed that a ransomware group had breached its network, encrypted files, and exfiltrated research files containing patient information. The University of Hawai’i Cancer Center said its electronic medical record system was unaffected; however, files were obtained that contained patients’ protected health information.

The majority of the stolen files related to a single research project. The review of those files revealed that some contained the Social Security numbers of research participants dating back to the 1990s. The University of Hawai’i Cancer Center said that in the 1990s, Social Security numbers were used as patient identifiers; however, that practice has since been halted, and alternative identifiers are now used.

Due to the highly sensitive nature of the stolen data, UH made the difficult decision to engage with the threat actor. University of Hawai’i Cancer Center said it worked with third-party cybersecurity experts to obtain a decryption tool to recover the encrypted data, and paid a ransom to prevent the publication of the stolen data. Assurances have been received that all of the stolen data has been deleted.

Files unrelated to the research study are still being reviewed to determine if they contain any patient data. Notification letters have yet to be sent to the affected individuals, but they will be mailed once up-to-date contact information has been obtained.  The University of Hawai’i Cancer Center said the affected individuals will be offered complimentary credit monitoring and identity theft protection services.

Even though the ransom was paid, due to the extent of file encryption, it has taken some time to recover the encrypted files and restore the affected systems. Additional security measures have been implemented to strengthen security, including replacing its existing firewall with a new firewall with additional security controls and installing new endpoint protection software with 24/7 monitoring. The University of Hawai’i Cancer Center said third-party cybersecurity experts have assessed and validated the cancer center’s security controls.

The incident has been reported to regulators; however, since the file review has not yet concluded, the number of affected individuals has yet to be disclosed.

The post University of Hawai’i Cancer Center: 1.24 Million Individuals Affected by 2025 Ransomware Attack appeared first on The HIPAA Journal.