A class-action lawsuit filed against one of the largest pharmacy companies serving US nursing homes and other institutions alleges the company failed to notify consumers of a data breach for more than two months. 

PharMerica, which provides services to more than 3,100 long-term care and other pharmacy programs, was hit by the cybercriminal group, Money Message in early March. But the suit alleges that the company was not immediately aware of the breach, “providing cybercriminals unfettered access to its network system for at least two days” before being discovered on March 14. 

However, the suit says that the approximately 5.8 million consumers who “had their most sensitive personal information accessed, exfiltrated and stolen” were not informed until at least May. 

“PharMerica Breach Notice obfuscated the nature of the breach and the threat it posted — refusing to tell consumers how many people were impacted, how the breach happened, or why it took PharMerica two months to begin notifying victims that hackers had gained access to highly sensitive [personal identifying information],” the lawsuit said. “Defendant’s failure to timely detect and report the Data Breach made its consumers vulnerable to identify theft without any warnings to monitor their financial accounts or credit reports to prevent unauthorized use of their PII.”

The suit has been filed in the US District Court for the Western District of Kentucky. The lead plaintiff said in the filing that she is not a direct customer of PharMerica, making the event different from “typical data breaches because it affects consumers who had no relationship” with the company. The lawsuit said the plaintiff “assumes” her healthcare provider or pharmacy she uses gave her personal information — including her date of birth and Social Security number – to PharMerica.

The McKnight’s Business Daily e-newsletter reported on the breach in April, noting that a spokesperson for PharMerica and BrightSpring, which merged in 2018, said the company would notify affected individuals “as quickly as possible and in accordance with applicable law.” The company said it was working with third-party cybersecurity experts and had alerted law enforcement.

The lawsuit noted that PharMerica offered affected individuals one year of complimentary credit monitoring, but the filing alleges that “does not adequately address the lifelong harm that victims will face following the Data Breach.” 

A spokeswoman for PharMerica and BrightSpring told McKnight’s Long-Term Care News in an emailed statement that the company does not comment on pending litigation. 

“Our focus is on continuing to support our customers and providing resources to those individuals whose information was determined to be involved in the incident,” the statement added.