Infusion Firm Faces Lawsuit After Hackers Hit Parent CompanyProposed Class Action Claim Against Amerita Linked to Larger PharMerica Breach
Specialty infusion company Amerita is facing a proposed federal class action lawsuit in the wake of a March cyberattack on its parent company, PharMerica, which reported a breach affecting nearly 6 million individuals. Amerita says its breach affected nearly 220,000 individuals.
In its breach notice on Sept. 5, Amerita said on March 14 that it and its parent company PharMerica had learned of suspicious activity on their computer network.
Amerita said it had promptly begun an internal investigation and subsequently determined that an unknown third party accessed and obtained certain data from Amerita's computer systems on March 12-13.
Amerita said it "recently" had identified a data set involved in the incident that contained the personal information of some Amerita patients. That information included name, address, and information pertaining to medical history, diagnosis, medications and health insurance information. The breach did not include Amerita patients' Social Security numbers or driver’s license numbers, the company said.
Kentucky-based PharMerica previously reported the hacking incident to HHS OCR and state regulators - on behalf of itself and its parent company, BrightSpring Health Services - in May as affecting more than 5.8 million individuals.
In its breach notice, PharMerica's description of the incident was similar to Amerita's breach notification, except PharMerica said that Social Security numbers had potentially been compromised.
In May, the ransomware group Money Message claimed to be the attacker in the PharMerica incident, posting on its dark web leak site multiple spreadsheets the group said contained patient data. The cybercrime group also posted apparent internal business documents, including market models and balance sheets (see: PharMerica Reports Breach Affecting Nearly 6 Million People).
The group claimed to have a 4.7-terabyte database "with 1.6M minimum records of personal data" and threatened to publicly reveal its contents.
Proposed Class Actions
A proposed class action lawsuit, filed by PharMerica patient Jaketrius Lurry in a Kentucky federal court in June, alleges, among other claims, that the company was negligent in failing to protect sensitive health information. That lawsuit seeks relief, including actual and putative damages, and an injunctive order for the company to improve its data security practices.
Now, in the wake of the Amerita breach disclosure, a separate breach report in the PharMerica incident, a similar proposed class action complaint filed Monday names Amerita as the defendant in a California federal court case.
An attorney representing Andrew Rose, the plaintiff in the lawsuit against Amerita, did not immediately respond to Information Security Media Group's request for comment on the lawsuit, including why Rose's litigation was filed against Amerita and not its parent company, PharMerica.
The lawsuit against Amerita alleges that the company failed to implement or follow reasonable data security procedures as required by law and failed to protect plaintiff and the proposed class members' sensitive Information from unauthorized access, putting them at risk for identity theft, fraud and related crimes.
The lawsuit against Amerita also alleges that while the company learned of the breach on March 13, it waited nearly six months to notify the plaintiff and other class members on Sept. 3.
Amerita did not immediately respond to ISMG's request for comment on the data breach and the proposed class action lawsuit.
An attorney representing PharMerica also did not immediately respond to ISMG's request for comment on the lawsuit and the data breach.
The Amerita and PharMerica data security incident and subsequent lawsuits are in line with several major trends, said regulatory attorney Paul Hales of the law firm Hales Law Group, which is not involved in the litigation against the companies.
"First, private health data breach lawsuits are the fastest-growing, most aggressive and feared vehicles for enforcing personal health information privacy rights," he said.
Also, "the Federal Trade Commission - as plaintiffs in both lawsuits recognize - is suddenly a powerful federal enforcer of health privacy law," he said, referring to FTC's various enforcement activities against non-HIPAA regulated companies in health information privacy disputes (see: FTC Makes Moves to Enhance Data Privacy Oversight).
The lawsuits against PharMerica and Amerita each allege that the defendant company failed to comply with FTC guidelines for implementing reasonable data security practices.
Also, healthcare services firms and similar business associates "are plump targets" for hackers because those firms aggregate and maintain protected health information gathered by large numbers of healthcare providers, Hale said.
The PharMerica/Amerita incident and resulting litigation also illustrate the complexity that is sometimes involved from a legal and regulatory perspective when breaches affect multiple operations of large national and international healthcare sector firm. Experts say mergers and acquisitions, budget cuts and the rapid adoption of digital and remote services in healthcare are creating more complex IT environments with greater vulnerabilities.
PharMerica's last available quarterly report from 2017, filed shortly after private equity firm KKR bought it for $1.4 billion, described it as the second-largest institutional pharmacy services company in the U.S. based on revenue and customer-licensed beds.
KKR merged PharMerica with BrightSpring Health Services in 2019 to form a corporation with approximately $4.5 billion in annual revenue.