May 31, 2023 — PharMerica suffered a significant data breach that has now been recognized as the largest security incident of the year. The breach exposed a vast amount of sensitive patient data, including personal and medical information, risking the privacy and security of 5.8 million patients.
Owned by BrightSpring Health Services, the renowned long-term care pharmacy company caters to nursing homes, assisted living facilities, and other care institutions across the United States. With a broad range of pharmaceutical services, PharMerica has established itself as a reliable partner in the healthcare industry, ensuring the timely and efficient delivery of patient medications.
Table of Contents
Date of the Breach and Suspicious Activity Discovered
The data breach was first discovered on March 14, 2023, when PharMerica’s security team detected suspicious activity on their network. The investigation that followed revealed that unauthorized individuals had broken into the company’s systems on March 12 and 13, which eventually led to a massive breach.
The stolen data from PharMerica’s data breach contained a wealth of personally identifiable information (PII) and protected health information (PHI). This included names, addresses, social security numbers, medical records, and prescription information.
More than 5.8 million people were affected, making this the largest breach of 2023 concerning healthcare data. The potential impact on those whose sensitive information is compromised is severe, for they could be highly susceptible to identity theft, fraudulent medical claims, and other malicious mischief.
HIPAA Breach Notification Rule
Under the Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA), covered entities must notify the following in the event of a breach:
- The affected individuals
- The Secretary of the Department of Health and Human Services (HHS)
- And in some cases, the media if the breach affected more than 500 individuals in the same state or jurisdiction
The privacy breach notification must be made immediately without any unreasonable delay and typically within 60 days of discovering the breach.
PharMerica’s compliance with the Breach Notification Rule
PharMerica, as a covered entity under HIPAA, is obligated to comply with the Breach Notification Rule. Upon discovering the data breach, the company promptly launched an internal investigation to assess the scope and impact of the incident.
Following the completion of their investigation, the Kentucky-based company took immediate steps to notify affected individuals and other relevant parties as required by law.
Reporting the breach to the Maine Attorney General and HHS
PharMerica operates in all 50 states of America, including the state of Maine, and thus was required to report the data breach to the Maine Attorney General’s office in addition to the HHS.
A circulating breach notification sample submitted to the Main Attorney General’s office indicates that some of the breached information belonged to deceased patients.
By reporting the incident to the appropriate authorities, PharMerica fulfilled its legal obligation and contributed to the overall effort to safeguard affected individuals and hold the responsible parties accountable.
Timelines and Requirements for Breach Notification
The Breach Notification Rule sets clear timelines and requirements for covered entities to notify affected individuals, the HHS, and the media, without unreasonable delay or up to 60 calendar days following the date of discovery.
The notification must contain specific information, including a description of the data breach, the types of information involved, recommended steps for affected individuals, and contact information for the covered entity.
Lawsuits and Legal Actions
As expected, with a privacy breach of this magnitude, PharMerica will most likely face numerous complaints and legal actions. As of this writing, Berger Montague is investigating possible multiple class-action lawsuits against PharMerica and its parent company, BrightSpring Health Services, on behalf of the individuals affected.
These lawsuits aimed to hold PharMerica accountable for any negligence or failure to protect the sensitive data entrusted to them.
Lawsuits associated with the breaches, including class action lawsuits
Data breach lawsuits are commonly filed by affected individuals seeking legal recourse. Class action lawsuits involve a representative plaintiff or group of plaintiffs filing the case on behalf of a larger group of affected individuals. These lawsuits streamline the legal process, provide efficiency and cost-effectiveness, and allow individuals with more minor claims to seek compensation collectively.
The court evaluates whether the case meets the criteria for class action status before proceeding to settlement negotiations or trial, where liability and potential damages are determined. Class action lawsuits are crucial for holding organizations accountable and seeking justice for data breach victims.
As in the case of PharMerica, those affected by the breach are strongly encouraged to step forward and contend for their rights. By urging victims to come forward, the collective legal action aims to hold the company accountable and secure compensation while emphasizing the importance of robust cybersecurity measures.
Minimize Risks of Data Breaches With HIPAA Compliance
The PharMerica data breach serves as a grave reminder of the vulnerability of personal and medical information in the healthcare sector. With the potential for far-reaching consequences, it highlights the critical need for organizations to prioritize cybersecurity measures and ensure compliance with regulations such as HIPAA.
As the fallout from this breach continues, it is clear that the impact on affected individuals and the legal landscape will be significant, underscoring the importance of vigilance and proactive measures in safeguarding sensitive data against constantly evolving threats.
