A mail-order pharmacy is facing a lawsuit after patients claimed it took too long to tell them about a data breach that exposed their personal information.
According to Pharmacy Times, two patients, one from Ohio and another from Georgia, filed a class-action lawsuit against the nationwide mail-order pharmacy, Injured Workers Pharmacy, for failing to provide a timely notification about a data breach that compromised their personal information. The plaintiffs allege that the company’s delayed notification directly resulted in emotional distress, out-of-pocket expenses, and, in one case, identity theft.
One plaintiff discovered a fraudulent tax return had been filed in their name, while the other reported significant anxiety stemming from the uncertainty of the breach’s scope. The lawsuit claimed the delay denied them the opportunity to take immediate, preventative steps, such as credit monitoring or identity protection.
Read also: Fraud in healthcare practices
A major mail-order pharmacy based in Massachusetts, Injured Workers Pharmacy, experienced a data breach in January 2021. The breach remained undetected until May of that year, when an internal investigation revealed that the personal information of over 75,000 customers, such as names and Social Security numbers, had been accessed without authorization.
Despite discovering the breach in May, the company did not begin notifying affected customers until February 2022. In its notification, the company stated that a comprehensive review was required to determine the scope of the breach. While customers were advised to take steps to protect their personal data, no free credit monitoring services were offered.
Initially dismissed by a lower court, the case was revived by a federal appeals court, which found that the plaintiffs’ allegations were substantial enough to warrant legal action. In January 2025, the pharmacy agreed to a $1.075 million settlement. Affected individuals can claim up to $5,000 each, and the agreement includes legal fees and service awards for the lead plaintiffs.
Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities and their business associates are legally required to notify individuals when their protected health information (PHI) is compromised in a data breach.
Here’s what HIPAA’s Breach Notification Rule requires:
Learn more: Navigating HIPAA’s Breach Notification Rule
Delays or failures in notifying individuals, especially in cases involving sensitive or high-risk information, can lead to regulatory scrutiny, litigation, and long-term reputational damage.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Quick notification allows affected individuals to take steps to protect themselves, like monitoring their credit, freezing accounts, or changing passwords, before the information can be misused.
You have the right to be informed of the breach, receive details about what was exposed, and take protective measures. In some cases, you may be eligible for compensation through legal action.
Victims may face identity theft, fraudulent tax filings, medical identity theft, financial loss, emotional distress, and time spent resolving issues.