pharmerica data breach security incident

PharMerica Data Breach Shockwaves Healthcare Industry

May 31, 2023 — PharMerica suffered a significant data breach that has now been recognized as the largest security incident of the year. The breach exposed a vast amount of sensitive patient data, including personal and medical information, risking the privacy and security of 5.8 million patients.

Owned by BrightSpring Health Services, the renowned long-term care pharmacy company caters to nursing homes, assisted living facilities, and other care institutions across the United States. With a broad range of pharmaceutical services, PharMerica has established itself as a reliable partner in the healthcare industry, ensuring the timely and efficient delivery of patient medications.

PharMerica Data Breach Shockwaves Healthcare Industry

Date of the Breach and Suspicious Activity Discovered

The data breach was first discovered on March 14, 2023, when PharMerica’s security team detected suspicious activity on their network. The investigation that followed revealed that unauthorized individuals had broken into the company’s systems on March 12 and 13, which eventually led to a massive breach.

The stolen data from PharMerica’s data breach contained a wealth of personally identifiable information (PII) and protected health information (PHI). This included names, addresses, social security numbers, medical records, and prescription information. 

More than 5.8 million people were affected, making this the largest breach of 2023 concerning healthcare data. The potential impact on those whose sensitive information is compromised is severe, for they could be highly susceptible to identity theft, fraudulent medical claims, and other malicious mischief.

health breach notification rule

HIPAA Breach Notification Rule

Under the Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA), covered entities must notify the following in the event of a breach:

  • The affected individuals
  • The Secretary of the Department of Health and Human Services (HHS)
  • And in some cases, the media if the breach affected more than 500 individuals in the same state or jurisdiction

The privacy breach notification must be made immediately without any unreasonable delay and typically within 60 days of discovering the breach.

PharMerica’s compliance with the Breach Notification Rule

PharMerica, as a covered entity under HIPAA, is obligated to comply with the Breach Notification Rule. Upon discovering the data breach, the company promptly launched an internal investigation to assess the scope and impact of the incident. 

Following the completion of their investigation, the Kentucky-based company took immediate steps to notify affected individuals and other relevant parties as required by law.

Reporting the breach to the Maine Attorney General and HHS

PharMerica operates in all 50 states of America, including the state of Maine, and thus was required to report the data breach to the Maine Attorney General’s office in addition to the HHS. 

A circulating breach notification sample submitted to the Main Attorney General’s office indicates that some of the breached information belonged to deceased patients.

By reporting the incident to the appropriate authorities, PharMerica fulfilled its legal obligation and contributed to the overall effort to safeguard affected individuals and hold the responsible parties accountable.

Timelines and Requirements for Breach Notification

The Breach Notification Rule sets clear timelines and requirements for covered entities to notify affected individuals, the HHS, and the media, without unreasonable delay or up to 60 calendar days following the date of discovery.

The notification must contain specific information, including a description of the data breach, the types of information involved, recommended steps for affected individuals, and contact information for the covered entity.

data breach case

Lawsuits and Legal Actions

As expected, with a privacy breach of this magnitude, PharMerica will most likely face numerous complaints and legal actions. As of this writing, Berger Montague is investigating possible multiple class-action lawsuits against PharMerica and its parent company, BrightSpring Health Services, on behalf of the individuals affected.

These lawsuits aimed to hold PharMerica accountable for any negligence or failure to protect the sensitive data entrusted to them.

Lawsuits associated with the breaches, including class action lawsuits

Data breach lawsuits are commonly filed by affected individuals seeking legal recourse. Class action lawsuits involve a representative plaintiff or group of plaintiffs filing the case on behalf of a larger group of affected individuals. These lawsuits streamline the legal process, provide efficiency and cost-effectiveness, and allow individuals with more minor claims to seek compensation collectively. 

The court evaluates whether the case meets the criteria for class action status before proceeding to settlement negotiations or trial, where liability and potential damages are determined. Class action lawsuits are crucial for holding organizations accountable and seeking justice for data breach victims.

As in the case of PharMerica, those affected by the breach are strongly encouraged to step forward and contend for their rights. By urging victims to come forward, the collective legal action aims to hold the company accountable and secure compensation while emphasizing the importance of robust cybersecurity measures.

Minimize Risks of Data Breaches With HIPAA Compliance

The PharMerica data breach serves as a grave reminder of the vulnerability of personal and medical information in the healthcare sector. With the potential for far-reaching consequences, it highlights the critical need for organizations to prioritize cybersecurity measures and ensure compliance with regulations such as HIPAA.

As the fallout from this breach continues, it is clear that the impact on affected individuals and the legal landscape will be significant, underscoring the importance of vigilance and proactive measures in safeguarding sensitive data against constantly evolving threats.

Kent Cañas

Kent is a content strategist currently specializing in HIPAA-compliant online fax. Her expertise in this field allows her to provide valuable insights to clients seeking a secure and efficient online fax solution.

More great articles
Senators Demand Answers on Amazon Clinic’s Data Privacy Policies
Senators Demand Answers on Amazon Clinic’s Data Privacy Policies

The senators have asked the company to clarify its Amazon Clinic data privacy policies amid concerns over potential misuse of…

Read Story
audiologist software guide
Your Guide to Audiologist Software: Why Use One and Key Features You Should Know

Audiologists are constantly looking for new and innovative ways to improve their services and better serve their patients. That's why…

Read Story
hipaa rights violation
HIPAA Rights Violations: What You Need to Know and How to Respond

Over the past two decades since its implementation, the Office for Civil Rights received more than 300,000 HIPAA violation complaints.…

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.