A federal judge has granted preliminary approval to a $5.275 million settlement resolving class action claims against PharMerica Corporation over a massive 2023 data breach that exposed the personal and medical information of nearly 5.82 million people. The ruling, handed down on January 12, 2026, in the U.S. District Court for the Western District of Kentucky, clears the way for affected individuals to file claims for up to $10,000 in documented out-of-pocket losses, plus free credit monitoring and a $1 million identity theft insurance policy.
The claim filing deadline is April 27, 2026, and claims can be submitted through the official settlement website at PMCSettlement.com. The breach, carried out by the Money Message ransomware group in March 2023, ranks among the largest healthcare data breaches reported to the Department of Health and Human Services that year. For someone like a retired nursing home resident whose Social Security number and medication history were swept up in the 4.7 terabytes of stolen data, this settlement represents the first concrete path to compensation — though the per-person payout will depend heavily on how many of the 5.8 million class members actually file.
Table of Contents
- What Does the $5.275M PharMerica Data Breach Settlement Cover?
- Who Qualifies as a Class Member and What Are the Limitations?
- How the Money Message Ransomware Attack Unfolded
- How to File a Claim Before the April 27 Deadline
- What Happens if You Miss the Deadlines or Do Nothing
- PharMerica’s Required Security Improvements
- What This Settlement Signals for Healthcare Data Breach Litigation
- Frequently Asked Questions
What Does the $5.275M PharMerica Data Breach Settlement Cover?
The settlement fund of $5.275 million is designed to cover three buckets: individual claims from affected people, attorney fees and litigation costs, and administrative expenses related to processing claims and sending notices. On top of that cash fund, PharMerica and its parent company BrightSpring Health services have committed to an estimated $2.54 million in cybersecurity improvements and changes to their business practices — bringing the total cost of the settlement to roughly $7.8 million. For individual class members, the headline benefit is reimbursement of up to $10,000 per person for documented, unreimbursed out-of-pocket expenses tied to the breach. That could include costs like paying for credit monitoring you purchased on your own after receiving PharMerica’s breach notification, fees related to credit freezes, charges from fraudulent transactions you had to dispute, or even lost wages if you had to take time off work to deal with identity theft.
The key word is “documented” — you will need receipts, bank statements, or other proof that you spent money dealing with the fallout. Vague claims without supporting paperwork are unlikely to be approved. Every eligible class member can also enroll in one year of Kroll Complete Monitoring at no cost, which bundles credit monitoring across all three bureaus, dark web surveillance, payday loan monitoring, credit score tracking, fraud consultation services, and identity theft resolution assistance. The monitoring package also includes a $1 million identity theft insurance policy. By comparison, purchasing equivalent monitoring coverage on the open market typically runs $20 to $30 per month, so even if you have no documented losses, the monitoring benefit alone has real value.
Who Qualifies as a Class Member and What Are the Limitations?
The class includes all 5,815,591 individuals whose personal information was compromised in the March 2023 PharMerica breach. If you received a breach notification letter from PharMerica or BrightSpring Health Services in mid-to-late 2023, you are almost certainly a class member. The case, styled as Lurry v. PharMerica Corporation, was consolidated in the Western District of Kentucky, Louisville Division, meaning this single settlement covers claims from affected individuals nationwide. However, there are important limitations to understand.
If you already accepted a separate individual settlement or signed a release with PharMerica related to this same breach, you may be barred from claiming here. Additionally, the $5.275 million fund is not unlimited — if a large number of people file valid claims, payments could be reduced on a pro rata basis. To put this in perspective, if even 10 percent of the 5.8 million affected individuals file claims, that would be roughly 580,000 claimants splitting whatever remains of the fund after legal fees and administrative costs. The math gets thin quickly. If you believe you have claims worth more than what this settlement would pay, you have the option to opt out by April 13, 2026, and pursue your own lawsuit independently. This is a tradeoff worth considering carefully — individual litigation is expensive and uncertain, but it preserves your right to seek full damages rather than accepting a capped payout from a shared fund.
How the Money Message Ransomware Attack Unfolded
The PharMerica breach was not a case of an employee clicking a bad link and exposing a few hundred records. The Money Message ransomware group executed a sophisticated “double extortion” attack in March 2023, first exfiltrating an enormous 4.7 terabytes of data from PharMerica’s systems before encrypting the network and demanding payment. This approach gives attackers use even if the victim has good backups — because the stolen data can be published or sold regardless of whether the encryption is reversed. PharMerica Corporation is a Fortune 1000 pharmacy services provider, primarily serving long-term care facilities like nursing homes and assisted living communities. That means the stolen data was particularly sensitive.
Beyond the usual names, addresses, and dates of birth, the attackers got Social Security numbers, medication information, and health insurance details. For elderly patients in long-term care settings — many of whom may not be actively monitoring their credit — this kind of data is a goldmine for identity thieves. A stolen Social Security number paired with a full medication history and insurance details can be used to commit medical identity fraud, file false insurance claims, or open lines of credit that go undetected for months or years. The scale of the breach — affecting nearly 5.82 million individuals — placed it among the most significant healthcare data incidents reported to HHS in 2023. For context, the average healthcare data breach in 2023 affected roughly 300,000 people, making the PharMerica incident nearly 20 times larger than the norm.
How to File a Claim Before the April 27 Deadline
Filing a claim requires visiting the official settlement website at PMCSettlement.com and completing the online claim form before the April 27, 2026, deadline. You will need to provide identifying information that matches PharMerica’s breach records — typically your name, address, and the last four digits of your Social Security number. If you are claiming out-of-pocket expenses, you will also need to upload documentation supporting each expense you list. For those who prefer not to file online, the settlement administrator — Kroll Settlement Administsettlement administrator[contact via the official settlement website].
Kroll handles a large volume of data breach settlements and is one of the more established administrators in this space, which generally means the claims process will be reasonably straightforward. That said, phone-based claims often take longer to process than online submissions, and the risk of errors increases when information is relayed verbally rather than typed directly. One practical consideration: even if you have no documented out-of-pocket losses, you should still file a claim to enroll in the free Kroll Complete Monitoring. Given that your Social Security number and health data are already in the hands of criminals, ongoing monitoring is not optional — it is a necessity. The $1 million identity theft insurance policy alone justifies the few minutes it takes to submit a claim.
What Happens if You Miss the Deadlines or Do Nothing
There are three critical dates to keep track of, and missing any of them has different consequences. The opt-out deadline of April 13, 2026, is only relevant if you want to exclude yourself from the settlement and retain the right to sue PharMerica independently. If you do nothing by that date, you remain in the class and are bound by whatever the court approves. The claim filing deadline of April 27, 2026, is the date by which you must submit your claim to receive any benefits. If you miss this deadline, you get nothing — no reimbursement, no monitoring, no insurance — but you are still bound by the settlement and cannot sue later. The final approval hearing is scheduled for May 12, 2026, at which point the judge will review any objections and decide whether to grant final approval.
This is a common trap in data breach settlements: people who do nothing end up in the worst possible position. They give up their right to sue and receive zero compensation. If you are among the 5.8 million affected individuals, the only losing move is inaction. Even if your claim is modest, submitting it costs nothing and takes minutes. A warning for anyone considering objecting to the settlement rather than opting out: filing an objection keeps you in the class but asks the court to modify or reject the deal. This is a legitimate option if you believe the terms are unfair, but it delays resolution for everyone and rarely results in significantly better terms. If your primary concern is that $5.275 million is inadequate for 5.8 million people — a fair criticism — opting out and consulting with a personal attorney may be a more productive path.
PharMerica’s Required Security Improvements
Beyond the cash fund, the settlement requires PharMerica and BrightSpring Health Services to invest an estimated $2.54 million in cybersecurity upgrades and business practice changes. While the specific improvements have not been fully detailed in public filings, settlements of this type typically mandate measures like enhanced encryption protocols, more rigorous access controls, regular third-party security audits, and improved employee training on phishing and social engineering attacks.
These injunctive relief provisions matter more than most class members realize. The cash payout compensates for past harm, but the security improvements are what reduce the risk of a repeat incident. For the thousands of nursing home and assisted living residents who remain PharMerica customers, these changes directly affect whether their data will be better protected going forward.
What This Settlement Signals for Healthcare Data Breach Litigation
The PharMerica settlement reflects a broader trend in healthcare data breach litigation: companies are settling faster and for larger amounts as courts become more receptive to plaintiffs’ claims of concrete harm from data exposure. Five years ago, many data breach cases were dismissed at the standing stage because courts required plaintiffs to show actual identity theft, not just the risk of it. That legal landscape has shifted considerably, and the PharMerica case — with its 5.8 million affected individuals and confirmed ransomware exfiltration — presented defendants with significant litigation risk.
Looking ahead, the final approval hearing on May 12, 2026, should be largely procedural unless a significant number of objections are filed. Assuming final approval is granted, claim payments and monitoring enrollment would likely begin in the summer of 2026. For the broader healthcare industry, settlements like this one reinforce that inadequate cybersecurity is not just a regulatory risk — it is a direct financial liability that can cost tens of millions when you factor in legal fees, settlement funds, security remediation, and reputational damage.
Frequently Asked Questions
How do I know if I am part of the PharMerica data breach settlement?
If you received a data breach notification letter from PharMerica or BrightSpring Health Services in 2023, you are likely a class member. The breach affected 5,815,591 individuals. You can also check your eligibility at PMCSettlement.com or call Kroll Settlement Administration at 833-754-6609.
What is the maximum amount I can claim from the PharMerica settlement?
Individual class members can claim up to $10,000 for documented, unreimbursed out-of-pocket expenses related to the breach. However, all claims require supporting documentation such as receipts, bank statements, or other proof of expenses incurred.
What if I have no out-of-pocket losses from the breach?
You should still file a claim to enroll in one year of free Kroll Complete Monitoring, which includes credit monitoring, dark web surveillance, and a $1 million identity theft insurance policy. These benefits have real value even if you have not yet experienced financial losses.
When is the deadline to file a claim?
The claim filing deadline is April 27, 2026. The opt-out deadline — for those who want to preserve the right to sue independently — is April 13, 2026. The final approval hearing is scheduled for May 12, 2026.
Can I opt out and still file a claim?
No. If you opt out of the settlement by April 13, 2026, you exclude yourself from all benefits, including reimbursement and free monitoring. Opting out preserves your right to file an independent lawsuit against PharMerica, but you would need to pursue that at your own expense.
What data was stolen in the PharMerica breach?
The Money Message ransomware group exfiltrated 4.7 terabytes of data, including names, addresses, dates of birth, Social Security numbers, medication information, and health insurance details. This combination of personal, financial, and medical data creates significant risk for both financial and medical identity fraud.
You Might Also Like
- Up to $1M Seven Counties Services Data Breach Settlement — Cash and Credit Monitoring Available
- Proof Required Or Not: What The Capital Health Data Breach Settlement Actually Needs
- Proof Required Or Not: What The 23andMe Customer Data Security Breach Settlement Actually Needs