PharMerica Corporation and its parent company BrightSpring Health Services have agreed to pay $5.275 million to settle a class action lawsuit stemming from a massive 2023 data breach that exposed the personal and medical information of nearly 5.82 million people. A federal judge in the Western District of Kentucky granted preliminary approval of the settlement on January 12, 2026, and affected individuals can now file claims for up to $10,000 in documented losses, plus free credit monitoring with $1 million in identity theft insurance. If you received prescription services through PharMerica at any point before the breach, there is a reasonable chance your data was compromised — and the claims deadline of April 27, 2026 is approaching fast.
The breach itself traces back to the Money Message ransomware group, which infiltrated PharMerica’s systems over two days in March 2023 and allegedly made off with 4.7 terabytes of stolen data. That is not a typo — terabytes, not gigabytes. The stolen information included Social Security numbers, dates of birth, medication records, and health insurance details, which is essentially a starter kit for identity theft. This article covers exactly what happened during the breach, what the settlement offers, how to file a claim, and what security changes PharMerica has committed to going forward.
Table of Contents
- What Happened in the PharMerica Data Breach That Affected Nearly 6 Million People?
- How Much Can You Claim from the $5.275 Million PharMerica Settlement?
- Who Is Eligible and How Does Filing a Claim Work?
- What Security Changes Is PharMerica Making After the Breach?
- Why Healthcare Data Breaches Carry Unique Risks
- How This Settlement Compares to Other Major Healthcare Breach Cases
- What Affected Individuals Should Do Before the April 2026 Deadline
- Conclusion
- Frequently Asked Questions
What Happened in the PharMerica Data Breach That Affected Nearly 6 Million People?
On March 12 and 13, 2023, the Money Message ransomware group accessed the computer systems of PharMerica and BrightSpring Health Services. PharMerica did not detect the suspicious activity until March 14, 2023 — one full day after the intrusion had already concluded its initial data exfiltration. The attackers claimed to have stolen 4.7 terabytes of data, and in a move typical of ransomware operations, they published portions of the stolen data on their own site to pressure PharMerica into paying a ransom. PharMerica ultimately reported the breach to the Maine Attorney General and the U.S. Department of Health and Human Services Office for Civil Rights, confirming that 5,815,591 individuals were affected.
To put that number in context, that is roughly the entire population of Minnesota. The compromised data included names, addresses, dates of birth, Social Security numbers, medication information, and health insurance information — a combination that makes affected individuals vulnerable not just to financial fraud but to medical identity theft, where someone uses your insurance to obtain prescriptions or medical care in your name. Compared to other recent healthcare breaches, PharMerica’s incident ranks among the largest. While the Change Healthcare breach in 2024 dwarfed it in scope, PharMerica’s breach stands out for the sensitivity of the data involved. Medication records can reveal conditions that people may not want disclosed — mental health treatments, HIV medications, substance abuse therapies — and once that information is in criminal hands, there is no taking it back.
How Much Can You Claim from the $5.275 Million PharMerica Settlement?
The settlement, filed as *In Re: PharMerica Data Breach Litigation*, Case No. 3:23-cv-00297-RGJ-CHL in the U.S. District Court for the Western District of Kentucky, creates a $5.275 million total settlement fund. Class members who can document unreimbursed losses caused by the breach can claim up to $10,000 per person. That includes out-of-pocket costs like credit monitoring services you purchased on your own, bank fees from fraudulent transactions, costs of credit freezes, and time spent dealing with identity theft at a reasonable hourly rate. However, the key word here is “documented.” You cannot simply claim $10,000 and expect a check.
You will need receipts, bank statements, or other supporting documentation that ties your losses directly to the PharMerica breach. If you noticed fraudulent charges on your credit card in 2023 or 2024 but cannot demonstrate a connection to this specific breach, your claim may be denied or reduced. It is also worth remembering that $5.275 million divided among even a fraction of 5.8 million affected individuals does not go very far — if claims exceed the fund, individual payouts will be reduced proportionally. This is the uncomfortable math of most data breach settlements: the per-person amount often works out to very little unless you have significant documented losses. All class members, regardless of whether they file for monetary compensation, are automatically entitled to one year of Kroll Complete Monitoring at no cost. That package includes credit monitoring, dark web monitoring, payday loan monitoring, Social Security scan, fraud consultation, identity theft restoration services, real-time inquiry alerts, credit score reporting, and $1 million in insurance coverage for fraud and identity theft with no deductible. Even if you do not have documented out-of-pocket losses, enrolling in this monitoring is worth the few minutes it takes.
Who Is Eligible and How Does Filing a Claim Work?
Six class representatives were named in the lawsuit on behalf of the nearly 5.82 million affected individuals. If you received a notification letter from PharMerica about the breach, you are almost certainly a class member. But even if you did not receive a letter — notification mailings are notoriously unreliable, especially for people who have moved — you may still be eligible if your data was held by PharMerica or BrightSpring Health Services at the time of the breach. The official settlement website is PMCSettlement.com, and claims can be filed through the portal at forms.ksacms.com. The claims deadline is April 27, 2026, and that is a hard cutoff.
Missing it means forfeiting your right to any payment from the settlement fund. If you plan to claim documented losses, start gathering your records now — bank statements showing fraudulent charges, receipts for credit monitoring services, any correspondence with credit bureaus or financial institutions about fraud tied to your compromised data. For example, if you paid $29.99 per month for an identity theft protection service after receiving your breach notification, twelve months of statements showing those charges could support a claim of roughly $360 in out-of-pocket losses. The final fairness hearing is scheduled for May 12, 2026, at which point the judge will decide whether to grant final approval of the settlement terms. If you believe the settlement is inadequate — and some consumer advocates argue that $5.275 million is a drop in the bucket for a breach of this magnitude — you have the right to object before that hearing. You also have the right to opt out of the settlement entirely and pursue your own legal action, though the practical cost and difficulty of doing so makes that route viable only for individuals with substantial, well-documented losses.
What Security Changes Is PharMerica Making After the Breach?
Beyond the $5.275 million settlement fund, PharMerica has committed to spending an estimated additional $2.54 million on business practice changes and technical security safeguards. That brings the total cost of the settlement and remediation to roughly $7.8 million — still a fraction of what the breach cost affected individuals in aggregate, but a meaningful investment in preventing a repeat incident. The tradeoff here is one that plays out in nearly every data breach settlement. Companies agree to spend money on security improvements they arguably should have had in place before the breach, and class members accept a modest payout in exchange for avoiding the uncertainty of a trial. From PharMerica’s perspective, $7.8 million in total costs is manageable — the company handles pharmacy services for long-term care facilities across the country and processes enormous volumes of sensitive health data daily.
From the class members’ perspective, the alternative was years of additional litigation with no guaranteed outcome. Settlements like this one are compromises by design, and whether they represent justice depends largely on what PharMerica actually implements on the security side and whether regulators hold the company accountable for follow-through. It is worth noting that PharMerica’s parent company, BrightSpring Health Services, is also named as a defendant. This matters because systemic security failures often originate at the corporate parent level — shared IT infrastructure, consolidated data storage, and centralized security policies mean that a weakness at the top can cascade to every subsidiary. Whether BrightSpring’s own security practices receive adequate scrutiny as part of this settlement remains an open question.
Why Healthcare Data Breaches Carry Unique Risks
Healthcare data breaches are fundamentally different from, say, a retail credit card breach. If your credit card number is stolen, your bank issues you a new card and reverses the charges. The inconvenience is real but limited. When your Social Security number, date of birth, and medication history are stolen together, the damage is both deeper and more permanent. You cannot get a new Social Security number except in extraordinary circumstances. You cannot un-disclose your medical history. The PharMerica breach is a case study in why healthcare organizations remain such attractive targets for ransomware groups.
The data is extraordinarily valuable on dark web markets — a complete healthcare record can sell for ten times the price of a credit card number because it enables a wider range of fraud, from filing false tax returns to obtaining prescription drugs to creating synthetic identities. The Money Message group understood this, which is why they published stolen data publicly to pressure PharMerica into paying. Whether PharMerica paid the ransom has not been publicly confirmed, but the exfiltration of 4.7 terabytes suggests the attackers had extensive, prolonged access to the company’s systems. A limitation worth understanding: even with the Kroll monitoring included in this settlement, credit monitoring is a reactive tool, not a preventive one. It tells you after someone has tried to use your information, not before. If you were affected by this breach, consider placing a credit freeze with all three major bureaus — Equifax, Experian, and TransUnion — which is free and prevents new accounts from being opened in your name entirely. A freeze is a more aggressive step than monitoring, but given that Social Security numbers and dates of birth were compromised, it is arguably the more appropriate response.
How This Settlement Compares to Other Major Healthcare Breach Cases
The PharMerica settlement of $5.275 million for 5.8 million affected individuals works out to less than one dollar per person if the fund were divided equally — though in practice, most class members will not file claims, which means those who do will receive more. For comparison, the Anthem data breach settlement in 2018 totaled $115 million for roughly 79 million affected individuals, and the Premera Blue Cross settlement was $74 million for 11 million people. On a per-capita basis, the PharMerica settlement is on the lower end, though the inclusion of $2.54 million in mandatory security improvements and the Kroll monitoring package add non-cash value that raw dollar comparisons miss.
The real question is whether settlements of this size create any meaningful deterrent. When a company can expose the sensitive data of nearly 6 million people and resolve the resulting litigation for $5.275 million, the economics arguably favor cutting corners on security. Until penalties scale with the actual harm caused — or until regulators impose requirements that make breaches more costly than prevention — the pattern will repeat.
What Affected Individuals Should Do Before the April 2026 Deadline
The clock is ticking. With the claims deadline set for April 27, 2026, affected individuals have a narrow window to act. Visit PMCSettlement.com to confirm your eligibility, review the settlement terms, and file your claim. If you have documented out-of-pocket losses, submit them with supporting evidence. If you do not have documented losses, enroll in the free Kroll monitoring at minimum.
Looking ahead, the final fairness hearing on May 12, 2026 will determine whether this settlement proceeds as structured. Barring unusual objections or complications, approval is likely — most data breach settlements that reach the preliminary approval stage proceed to final approval. But the broader question of whether the healthcare industry will meaningfully improve its data security practices remains unresolved. Congress has repeatedly considered but failed to pass comprehensive federal data privacy legislation, and HIPAA enforcement, while not toothless, has not kept pace with the scale and sophistication of modern cyber threats. For the 5.8 million people affected by the PharMerica breach, the settlement offers a measure of compensation and protection. Whether it offers accountability is another matter entirely.
Conclusion
The PharMerica data breach settlement of $5.275 million addresses one of the largest healthcare data breaches in recent years, covering nearly 5.82 million individuals whose names, Social Security numbers, medication records, and other sensitive information were stolen by the Money Message ransomware group in March 2023. Class members can claim up to $10,000 in documented losses and receive free credit monitoring with $1 million in identity theft insurance, while PharMerica has committed to an additional $2.54 million in security improvements.
If you were a PharMerica customer or received services through a facility that used PharMerica’s pharmacy services, do not wait. File your claim at PMCSettlement.com before the April 27, 2026 deadline, freeze your credit with all three bureaus, and enroll in the Kroll monitoring regardless of whether you have documented losses. The settlement is modest relative to the scale of the breach, but leaving money and free protections on the table benefits no one except the company that failed to protect your data in the first place.
Frequently Asked Questions
Who is eligible for the PharMerica data breach settlement?
Anyone among the 5,815,591 individuals whose personal information was compromised during the March 2023 breach of PharMerica and BrightSpring Health Services systems. If you received a breach notification letter, you are a class member. If you are unsure, check your eligibility at PMCSettlement.com.
How much money can I receive from the PharMerica settlement?
Class members can claim up to $10,000 for documented, unreimbursed out-of-pocket losses caused by the breach. You must provide supporting documentation such as bank statements, receipts, or credit bureau correspondence. All class members also receive free Kroll Complete Monitoring for one year, which includes $1 million in identity theft insurance.
What is the deadline to file a PharMerica data breach claim?
The claims deadline is April 27, 2026. Claims can be submitted through the official settlement website at PMCSettlement.com or through the claims portal at forms.ksacms.com. Missing this deadline forfeits your right to compensation.
What data was stolen in the PharMerica breach?
The Money Message ransomware group stole names, addresses, dates of birth, Social Security numbers, medication information, and health insurance information. The group claimed to have exfiltrated 4.7 terabytes of data total and published some of it publicly to pressure PharMerica.
Should I freeze my credit after the PharMerica breach?
Yes. Because Social Security numbers and dates of birth were compromised, a credit freeze is one of the most effective steps you can take. Freezes are free with all three major bureaus — Equifax, Experian, and TransUnion — and prevent anyone from opening new credit accounts in your name. This is more protective than credit monitoring alone, which only alerts you after suspicious activity occurs.
When will the settlement be finalized?
The final fairness hearing is scheduled for May 12, 2026, in the U.S. District Court for the Western District of Kentucky. If the judge grants final approval, payments to class members will follow, though the exact timeline for distribution depends on whether any appeals are filed.