Patients Allege Home Delivery Pharmacy Failed Timely Notification of Data Breach

FACTS OF THE CASE

In January 2021, a nationwide mail-order pharmacy located in Massachusetts experienced a data breach. The pharmacy discovered the breach in May 2021 and investigated to determine its scope. Personally identifiable information (PII), including names and Social Security numbers for more than 75,000 customers, was breached.

Image credit: neirfy | stock.adobe.com

In February 2022, 9 months after the initial discovery and 13 months after the breach, the pharmacy began notifying customers of a breach in its computer information. The notification indicated the pharmacy had undertaken a “comprehensive and time-intensive review of the contents” involved in the breach and said the pharmacy “currently [has] no evidence that any information has been misused.” The notification provided customers with information about how they could help protect their personal information but did not offer customers any compensation for credit monitoring.

PROCEDURE AND OUTCOME

Two plaintiffs, a customer in Ohio and a customer in Georgia, filed a class action lawsuit alleging failure of the pharmacy to detect and report the breach in a timely manner. They alleged that this resulted in lost value of their PII; damages from prevention, detection, recovery from identity theft, tax fraud, and other unauthorized use of their PII; lost opportunity costs to mitigate consequences of the data breach; and emotional distress. The Ohio plaintiff experienced identity theft and misuse by a third party who filed a tax return in the plaintiff ’s name. The Georgia plaintiff alleged she was not provided specific details about what types of information were accessed and subsequently expressed fears for her financial security.

The defendant pharmacy filed a motion to dismiss the lawsuit, challenging the plaintiffs’ legal standing based on a lack of actual or imminent injury-in-fact. The pharmacy asserted the filing of a false tax return was “not fairly traceable to the [pharmacy’s] purported wrongdoing.” The district court granted the defendant pharmacy’s motion to dismiss based on a lack of “concrete and particularized injuries that are actual or imminent.”

Upon the plaintiffs’ appeal, the First Circuit Court of Appeals held the allegations did provide sufficient traceability and redressability elements to create legal standing, reversing the dismissal and remanding the case back to the District Court. In January 2025, a settlement agreement between the parties was approved by the

District Court. The plaintiffs were awarded attorney’s fees, expenses,

and service costs, and the settlement agreement includes a fund of

$1.075 million, with a cap of $5000 per class member.

REFERENCE

Webb v Injured Workers Pharmacy, LLC, 1:22-cv-10797-RGS (ED Mass 2022).