Infusion Firm Faces Lawsuit After Hackers Hit Parent Company – Source: www.govinfosecurity.com

Cybercrime
,
Fraud Management & Cybercrime
,
Governance & Risk Management

Proposed Class Action Claim Against Amerita Linked to Larger PharMerica Breach

Marianne Kolbasuk McGee (HealthInfoSec) •
September 28, 2023    

Specialty infusion company Amerita is facing a proposed federal class action lawsuit in the wake of a March cyberattack on its parent company, PharMerica, which reported a breach affecting nearly 6 million individuals. Amerita says its breach affected nearly 220,000 individuals.

See Also: Live Webinar | Cyber Resilience: Recovering from a Ransomware Attack

In its breach notice on Sept. 5, Amerita said on March 14, Amerita and its parent company PharMerica learned of suspicious activity on their computer network.

Amerita said it promptly began an internal investigation and subsequently determined that an unknown third party accessed and obtained certain data from Amerita’s computer systems from March 12-13.

Amerita said it “recently” identified a data set involved in the incident that contained the personal information of some Amerita patients. That information included name, address, and information pertaining to medical history, diagnosis, medications and health insurance information. The breach did not include Amerita patient Social Security numbers or driver’s license numbers, the company said.

Kentucky-based PharMerica previously reported the hacking incident to HHS OCR and state regulators – on behalf of itself and its parent company, BrightSpring Health Services – in May as affecting more than 5.8 million individuals.

In its breach notice, PharMerica, described the incident similarly to Amerita’s breach notification, except PharMerica that Social Security numbers were potentially compromised.

Back in May, the ransomware group Money Message claimed to be the attacker in the PharMerica incident, posting on its dark web leak site multiple spreadsheets the group said contain patient data. The cybercrime group also posted apparent internal business documents including market models and balance sheets (see: PharMerica Reports Breach Affecting Nearly 6 Million People).

The group claimed to have a 4.7-terabyte database “with 1.6M minimum records of personal data” threatening to publicly reveal its contents.

Proposed Class Actions

A proposed class action lawsuit, filed by PharMerica patient Jaketrius Lurry in a Kentucky federal court in June, alleges among other claims, that the company was negligent in failing to protect sensitive health information. That lawsuit seeks relief including actual and putative damages, and an injunctive order for the company to improve its data security practices.

Now, in the wake of the Amerita breach disclosure, a separate breach report in the PharMerica incident, a similar proposed class action complaint filed Monday names Amerita as the defendant in a California federal court case.

An attorney representing Andrew Rose, the plaintiff in the lawsuit against Amerita, did not immediately respond to Information Security Media Group’s request for comment on the lawsuit, including why Rose’s litigation was filed against Amerita and not its parent company, PharMerica.

The lawsuit against Amerita alleges that the company failed to implement or follow reasonable data security procedures as required by law and failed to protect plaintiff and the proposed class members’ sensitive Information from unauthorized access, putting them at risk for identity theft, fraud and related crimes.

Additionally, the lawsuit against Amerita alleges that while the company learned of the breach on March 13, it waited nearly six months to notify the plaintiff and other class members on Sept. 3.

Amerita did not immediately respond to ISMG’s request for comment on the data breach and the proposed class action lawsuit.

An attorney representing Pharmerica also did not immediately respond to ISMG’s request for comment on the lawsuit and the data breach.

Leading Trends

The Amerita and PharMerica data security incident and subsequent lawsuits are in line with several major trends, said regulatory attorney Paul Hales of the law firm Hales Law Group, which is not involved in the litigation against the companies.

“First, private health data breach lawsuits are the fastest growing, most aggressive and feared vehicles for enforcing personal health information privacy rights,” he said.

Also, “the Federal Trade Commission – as plaintiffs in both lawsuits recognize – is suddenly a powerful federal enforcer of health privacy law,” he said, referring to FTC’s various enforcement activities against non-HIPAA regulated companies in health information privacy disputes (see: FTC Makes Moves to Enhance Data Privacy Oversight).

The lawsuits against PharMerica and Amerita each allege that the defendant company failed to comply with FTC guidelines for implementing reasonable data security practices.

Also, healthcare services firms and similar business associates “are plump targets” for hackers because those firms aggregate and maintain protected health information gathered by large numbers of healthcare providers, Hale said.

Complex Breaches

The PharMerica/Amerita incident and resulting litigation also illustrates the complexity that is sometimes involved from a legal and regulatory perspective when breaches affect multiple operations of large national and international healthcare sector firm. Experts say mergers and acquisitions, budget cuts and the rapid adoption of digital and remote services in healthcare are creating more complex IT environments with greater vulnerabilities.

PharMerica’s last available quarterly report from 2017, filed shortly after private equity firm KKR bought it for $1.4 billion, described it as the second-largest institutional pharmacy services company in the U.S. based on revenue and customer-licensed beds.

KKR merged PharMerica with BrightSpring Health Services in 2019 to form a corporation with approximately $4.5 billion in annual revenue.