A major pharmaceutical services company and its subsidiary are facing a class action lawsuit over a significant data breach that exposed sensitive personal and health information of potentially hundreds of thousands of individuals. Amanda Tucker filed the complaint in the United States District Court for the Eastern District of Pennsylvania on July 2, 2024, against Cencora, Inc. and The Lash Group, LLC.
The lawsuit alleges that Cencora and The Lash Group failed to properly secure and safeguard personally identifying information (PII) and protected health information (PHI), including names, dates of birth, health diagnoses, medications, and prescriptions. This failure allegedly led to a massive data breach following a cyberattack in February 2024. The plaintiff contends that businesses handling such sensitive data owe a duty to protect it from unauthorized access, especially from hackers with malicious intentions.
Cencora is described as a pharmaceutical giant providing drug distribution, specialty pharmacy services, consulting, and clinical trial support. Its subsidiary, The Lash Group, specializes in patient support technologies. Both companies work with pharmaceutical firms, healthcare providers, and pharmacies to offer various services that require handling sensitive consumer and patient data.
The complaint details how Cencora disclosed the breach in February 2024 but provided little information about its scope or impact. It wasn't until late May 2024 that affected individuals began receiving notifications about the exposure of their PII and PHI. The plaintiff argues that despite knowing the risks associated with storing such valuable data, Cencora failed to implement adequate security measures to prevent unauthorized access.
As a result of this breach, Tucker claims she has suffered actual injury from having her PII and PHI exposed or stolen. She has had to spend time mitigating potential misuse by changing passwords and monitoring accounts while dealing with anxiety over future identity theft or fraud. The lawsuit seeks damages for negligence and negligence per se under Section 5 of the FTC Act and HIPAA regulations governing data security for healthcare information.
The plaintiffs are seeking compensatory damages for mitigation efforts required due to the breach; damages for diminished value of their PII/PHI; costs associated with identity theft protection services; emotional distress; punitive damages; restitution; declaratory judgment affirming defendants' duties under law; injunctive relief requiring improved data security practices by defendants; lifetime identity protection services at defendants' expense; attorneys’ fees; costs incurred during litigation process among other forms equitable monetary relief deemed appropriate by court.
Representing Amanda Tucker are attorneys Gary F. Lynch from Lynch Carpenter LLP based out Pittsburgh PA along Patrick D Donathen same firm Jason S Rathod Migliaccio & Rathod LLP Washington DC case will be presided over Judge assigned docket number Case No: 2:24-cv-2912