On March 12-13, 2023, PharMerica—one of the nation’s largest long-term care pharmacy providers—suffered a devastating ransomware attack that exposed approximately 5.8 million patient records. This breach, discovered on March 14, 2023, represents the largest health data breach of that year. The compromised information included names, dates of birth, Social Security numbers, medication lists, and health insurance details belonging to people who received pharmacy services at nursing homes, assisted living facilities, and other long-term care settings. A federal court has approved a $5.275 million settlement to compensate affected individuals, with eligible claimants able to receive up to $10,000 for documented losses related to the breach.
The settlement represents a meaningful recovery for those harmed by this security failure. If you received medications dispensed by PharMerica between 2022 and early 2023, or if you’re a family member of someone in long-term care who used their pharmacy services during that period, you may be entitled to compensation. The settlement process began in January 2026 when the federal court granted preliminary approval, and claims are currently being accepted with a strict deadline of April 27, 2026. All class members are also receiving one year of free credit monitoring through Kroll Complete Monitoring to help protect against identity theft.
Table of Contents
- How Did the PharMerica Breach Occur and What Made It So Severe?
- What Personal Information Was Stolen in This Attack?
- What Does the $5.275 Million Settlement Include?
- Who Is Eligible to File a Claim, and How Do You Do It?
- What’s Included in the Free Credit Monitoring Benefit?
- What Happens With the Final Approval and After Settlement Closes?
- Should You File a Claim Even If You’re Unsure About Your Losses?
- Conclusion
How Did the PharMerica Breach Occur and What Made It So Severe?
The breach was executed by the Money Message cybercriminal group, which deployed ransomware to PharMerica’s systems during the March 12-13, 2023 attack window. Rather than simply encrypting files for ransom, the attackers exfiltrated 4.7 terabytes of data—an enormous volume containing sensitive health and personal information. This method, known as double extortion, allows criminals to demand payment either to restore systems or to prevent the sale or public release of stolen data.
The sheer volume of data stolen, combined with the sensitive nature of health records, made this breach particularly consequential for millions of patients and their families. What made this breach especially significant was PharMerica’s role in the healthcare ecosystem. As a provider serving long-term care facilities across the country, PharMerica maintained records for elderly patients and people with chronic conditions—populations particularly vulnerable to identity theft and fraud. When a pharmacy’s entire patient database is compromised, it doesn’t just affect individual patients; it creates ripple effects through the healthcare system. Patients had to monitor their credit reports, consider identity theft protection services, and deal with the anxiety of knowing their most sensitive medical information was in criminal hands.
What Personal Information Was Stolen in This Attack?
The compromised data included a complete picture of each patient’s health profile and financial identity. Names, dates of birth, and social security numbers formed the foundation for potential identity theft schemes. Beyond that, the attackers obtained complete medication lists—information that reveals diagnoses, chronic conditions, and serious health vulnerabilities. Health insurance information was also exposed, allowing criminals to potentially file fraudulent claims or access healthcare services under victims’ names.
For someone whose medical and financial data was stolen together, this creates an almost perfect storm of vulnerability to identity theft. The combination of medication information with personal identifiers makes this breach particularly dangerous. If you know someone is taking medications for specific conditions, combined with their Social Security number and date of birth, you have the tools to open accounts, file false insurance claims, or commit medical identity theft. A patient taking insulin might be identified as diabetic; medication for heart conditions reveals cardiovascular disease; psychiatric medications indicate mental health treatment. Criminals can weaponize this information to open new accounts or access healthcare services. The one-year free credit monitoring provided by the settlement is helpful, but ongoing vigilance—particularly around medical identity theft—remains important for affected individuals.
What Does the $5.275 Million Settlement Include?
The settlement provides up to $10,000 per claimant for documented losses directly related to the breach. This covers a range of harms: if you were a victim of identity theft, fraud, or credit damage following the breach, you can claim compensation for those losses. The settlement also covers professional fees—such as charges from an identity theft attorney or credit repair service—and costs for credit monitoring or security services that you purchased out of pocket. This tiered approach recognizes that not every affected person suffered the same level of harm, and compensation is available on a documented basis rather than a fixed amount for everyone.
For example, if you discovered fraudulent credit card charges using your information after the PharMerica breach and had to hire an attorney to dispute them, or if you paid for identity theft protection services, you could document these losses and claim them. The settlement cap of $10,000 per person reflects courts’ assessment of proportionate compensation, and the fund must be divided among all valid claimants. If the total claims exceed $5.275 million, payments will be prorated—meaning each person gets an equal percentage of their claimed amount. This is an important limitation to understand: if many people file claims for large amounts, individual payouts may be reduced accordingly. Additionally, attorney’s fees and claim administrator costs will be deducted from the settlement pool before individual claimants receive their compensation.
Who Is Eligible to File a Claim, and How Do You Do It?
If you received pharmacy services from PharMerica at a long-term care facility during the period when the breach occurred (or shortly before and after), you are likely a member of the settlement class and eligible to file a claim. This includes people in nursing homes, assisted living facilities, and other institutional settings. If you’re a family member of someone who was the direct patient, you may be able to file on their behalf. The settlement class definition focuses on individuals whose information was actually in PharMerica’s systems, not people who simply heard about the breach or were concerned they might be affected. To file a claim, you’ll need to complete the claim form available through the settlement administrator’s website and submit it before the April 27, 2026 deadline.
The form will ask you to document any losses you suffered—medical identity theft, fraudulent charges, credit monitoring expenses, attorney fees, or other breach-related costs. Keep receipts, credit reports, and any correspondence showing fraud attempts or resolution efforts. One critical deadline to note: the objection and exclusion deadline is April 13, 2026, which is two weeks before the claim deadline. If you want to object to the settlement terms or exclude yourself from the class, you must do so by April 13. Most affected individuals should file claims rather than exclude themselves, as the settlement provides meaningful compensation for documented losses.
What’s Included in the Free Credit Monitoring Benefit?
All class members are eligible for one year of free credit monitoring through Kroll Complete Monitoring, regardless of whether they file a claim for direct losses. This benefit is automatic and does not require you to prove you suffered harm—simply being in the settlement class qualifies you. The monitoring service will track your credit reports from the three major bureaus (Equifax, Experian, and TransUnion), alert you to suspicious activity, and help you understand changes to your credit file. This is a valuable protection because credit monitoring can catch fraudulent accounts or inquiries before they cause serious damage. However, it’s important to understand the limitations of credit monitoring.
It alerts you after fraudulent activity has occurred—it doesn’t prevent it. If a criminal opens an account in your name, credit monitoring will help you discover and address it, but you’ll still need to spend time disputing charges and correcting your credit report. Additionally, the one-year duration is limited; after that period ends, you’ll need to decide whether to purchase ongoing monitoring separately. Medical identity theft—where someone uses your information to obtain healthcare services—often doesn’t show up on credit reports, so monitoring doesn’t protect against this specific threat. For comprehensive protection, you should also consider placing a fraud alert with credit bureaus and reviewing your medical billing statements regularly.
What Happens With the Final Approval and After Settlement Closes?
The settlement is currently under preliminary approval, and the federal court will hold a final approval hearing on May 12, 2026. This hearing allows the judge to review the settlement terms, hear any objections, and make a final determination about whether to approve it. Once final approval is granted, the settlement becomes binding, and the claims process can move forward toward distribution. The May 12 date is important to track because it represents the final legal checkpoint before compensation distribution begins in earnest.
After the settlement closes and claims are processed, the settlement administrator will typically have several months to verify claims and arrange payment. Payments are usually made by check or direct deposit to the address or account provided on your claim form. Given that we’re already in May 2026, with final approval expected shortly after, claimants can expect payment distribution to begin in mid-to-late 2026 if all goes according to the court’s timeline. The complete legal process—from preliminary approval to final distribution—typically takes several months, so patience will be necessary.
Should You File a Claim Even If You’re Unsure About Your Losses?
If you have any reason to believe you were affected by the PharMerica breach, you should file a claim. The worst that can happen is that your claim is reviewed and either approved for the losses you document or denied if you cannot provide supporting evidence. Failing to file by April 27, 2026 means missing the opportunity entirely. Many people don’t file settlements claims because they underestimate their losses or assume the process is too complicated—but the claim form is designed to be accessible, and the settlement administrator provides guidance. Even if you only spent money on credit monitoring services or invested time dealing with fraud inquiries, these can be documented and claimed.
One important forward-looking consideration: this settlement addresses losses through 2026, but the effects of a major health data breach can persist for years. Identity theft protection and credit monitoring should remain priorities in your personal financial management. The free monitoring provided through the settlement is valuable, but it’s temporary. After that year expires, consider whether purchasing ongoing identity theft protection makes sense for you, particularly given that your Social Security number, date of birth, and health information are already in the hands of criminals. This breach serves as a reminder that in healthcare, data security failures affect real people with real consequences.
Conclusion
The PharMerica settlement represents a meaningful opportunity for the approximately 5.8 million people affected by one of 2023’s largest health data breaches. With up to $10,000 available per claimant for documented losses, plus automatic one-year credit monitoring for all class members, the settlement structure acknowledges the real harms caused by this security failure. The key is taking action before the April 27, 2026 claim deadline—after that date, you forfeit your right to compensation.
To protect yourself, file your claim promptly with documentation of any losses you experienced. Review the terms carefully, take advantage of the free credit monitoring while it’s available, and continue monitoring your credit and medical accounts for fraudulent activity long after the settlement concludes. Data breaches involving healthcare information have lasting consequences, and this settlement provides tools and compensation to help mitigate some of that damage. Don’t let the deadline pass without filing if you believe you may be affected.