The law firm Morgan & Morgan filed a class-action lawsuit in the U.S. District Court for the District of Massachusetts against Injured Workers Pharmacy (IWP) in association with a breach of the personal records of 75,771 clients.
IWP is a pharmacy based in Andover, MA that serves employees who were injured on the job and get workers’ compensation benefits. IWP found out on May 11, 2021 that an unauthorized individual accessed a number of employee email accounts. The compromised email accounts contained sensitive data like names, Social Security numbers and addresses. The compromise of the first email accounts happened in January 2021, which permitted unauthorized access to the records in the email accounts for 4 months before IWP detected the breach and secured the accounts. Affected people were provided no-cost 24-months credit monitoring and identity theft protection services.
Plaintiffs Marsclette Charley and Alexsis Webb assert that IWP didn’t employ appropriate data security safeguards to protect the privacy of their personal data and that of the class members, had not adopted industry security guidelines and hadn’t offered security awareness training to the employees. IWP did not distribute notification letters regarding the breach until February 2022, 9 months after the breach detection. The lawsuit claims breach of implied contract and fiduciary duty, negligence, negligence per se, unjust enrichment, and invasion of privacy.
The plaintiffs assert they face an impending and ongoing threat of identity theft and fraud because of the exposure of their sensitive records to cybercriminals and have had to expend time and money safeguarding themselves versus identity theft and fraud. The lawsuit desires class-action status, damages, a jury trial, repayment of out-of-pocket costs, and legal costs.
IWP is familiar with legal action. In 2020, IWP had a settlement deal involving a case with Massachusetts Attorney General Maura Healey to resolve allegations the organization played a role in sending thousands of bogus opioid painkiller prescriptions throughout the United States between 2006 and 2012. The case was settled by paying $11 million.