Amerita Named in Class Action Lawsuit Over Data Breach at PharMerica
The specialty infusion company Amerita is facing a class action lawsuit over a recent cyberattack and data breach at its parent company, PharMerica. On September 5, 2023, suspicious activity was detected within the computer networks of PharMerica and Amerita. The forensic investigation confirmed that an unauthorized third party gained access to its systems between March 12 and March 13, 2023, and potentially accessed the sensitive data of 5.8 million individuals. PharMerica reported the breach on behalf of itself and its parent company, BrightSpring Health Services.
The personal and protected health information of almost 220,000 Amerita patients was also compromised in the attack, including names, addresses, diagnoses, medications, and health insurance information. The Money Message ransomware group claimed responsibility for the attack and claimed on its data leak site to have stolen 4.7 terabytes of data, and then proceeded to leak certain files, some of which contained patient data.
Class action lawsuits have already been filed against PharMerica over the data breach, and now a lawsuit has been filed against Amerita on behalf of plaintiff Andrew Rose and similarly situated individuals who had their PHI stolen in the attack. Amerita is alleged to have failed to implement reasonable and appropriate security measures to protect the sensitive data of its patients against unauthorized access, in violation of the Health Insurance Portability and Accountability Act, and is also alleged to have unnecessarily delayed the issuing of notification letters to affected individuals. The breach was discovered on March 13, 2023, but it took until September 2, 2023, for notifications to be issued.
The lawsuit claims the plaintiff has suffered an actual injury due to the data breach, including damages to and diminution in the value of his sensitive information, loss of privacy, imminent and impending injury from the increased risk of identity theft and fraud, and time and money spent mitigating the effects of the data breach. The plaintiff claims the theft of his personal information and the knowledge that it may now have been listed for sale on the dark web has caused him great anxiety due to the risk of identity theft and fraud.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The 9-count lawsuit alleges negligence, invasion of privacy, breach of implied contract, breach of fiduciary duty, breach of confidence, and violations of California’s Confidentiality of Medical Information Act, California Consumer Privacy Act, California Unfair Competition Law, and the California Customer Records Act. The lawsuit seeks class action status, a jury trial, compensatory, statutory, and nominal damages, legal costs, and an order from the court prohibiting Amerita from engaging in wrongful and unlawful practices. The lawsuit also seeks an order from the court for Amerita to implement several cybersecurity measures to ensure patient data is properly protected in the future.
