PharMerica Pays Over $5.2 Million to Settle Class Action Data Breach Lawsuit
PharMerica has agreed to settle a class action lawsuit over a 2023 hacking incident and data breach that affected 5.8 million individuals. In addition to paying $5.2 million to cover costs and benefits, PharMerica has committed to investing millions to strengthen its security posture.
PharMerica, a Fortune 1000 pharmacy services provider, experienced a cyberattack in March 2023 for which the Money Message ransomware group took credit. The group claimed to have exfiltrated 4.7 terabytes of data in the attack, and it proceeded to leak the stolen data on its dark web data leak site, including files containing patient information. Data compromised in the attack included names, addresses, birth dates, medications, Social Security numbers, and health insurance information.
Several class action lawsuits were filed against PharMerica in response to the data breach, alleging negligent collection and storage of patient data. The lawsuits had overlapping claims and were consolidated into a single complaint – Lurry v. PharMerica Corporation – in the United States District Court for the Western District of Kentucky, Louisville Division. PharMerica denies all claims of liability and wrongdoing and sought to have the lawsuit dismissed. On January 12, 2024, a federal judge partially granted the motion to dismiss; however, she allowed the lawsuit to proceed.
For the negligence claim, the judge ruled that the plaintiffs sufficiently alleged damages arising from the breach; however, she dismissed the claims of breach of implied contract for certain plaintiffs who had no direct relationship with PharMerica, the claim of breach of fiduciary duty, and certain claims under California and Michigan law.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Under the terms of the settlement, PharMerica has agreed to pay $5,275,000 into a settlement fund, which will be used to pay attorneys’ fees, settlement administration costs, PharMerica’s past and future costs of data mining to identify membership to the settlement class, service awards for the six class representatives, and benefits for the class members.
Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $10,000 per class member, and are also entitled to claim a one-year membership to a credit monitoring, dark web monitoring, payday loan monitoring, credit score reporting, fraud consultation, and identity theft resolution service. That package also includes a $1 million identity theft insurance policy. In addition, class members may claim a one-time cash payment, which will be paid pro rata and will depend on the number of claims received. In addition to that settlement, PharMerica has agreed to change its business practices and improve security to better protect patient data in its possession.
The settlement received preliminary approval from the court on January 12, 2026. The deadline for objection and opting out is April 12, 2025. Claims must be submitted by April 27, 2026, and the final fairness hearing has been scheduled for May 12, 2026.
