Jim Ruble writes:
In January 2021, a nationwide mail-order pharmacy located in Massachusetts experienced a data breach. The pharmacy discovered the breach in May 2021 and investigated to determine its scope. Personally identifiable information (PII), including names and Social Security numbers for more than 75,000 customers, was breached.
In February 2022, 9 months after the initial discovery and 13 months after the breach, the pharmacy began notifying customers of a breach in its computer information. The notification indicated the pharmacy had undertaken a “comprehensive and time-intensive review of the contents” involved in the breach and said the pharmacy “currently [has] no evidence that any information has been misused.” The notification provided customers with information about how they could help protect their personal information but did not offer customers any compensation for credit monitoring.
Two plaintiffs, a customer in Ohio and a customer in Georgia, filed a class action lawsuit alleging failure of the pharmacy to detect and report the breach in a timely manner.
Read more about the case, which was dismissed and then reinstated on appeal, at Pharmacy Times. The class action litigation has now settled for more than $1 million.
For more background, Webb v Injured Workers Pharmacy litigation was previously reported on DataBreaches.net in 2022 and 2023.