BioPlus Specialty Pharmacy Services Deals with Class Action Lawsuit Due to Data Breach

A specialty pharmacy in Florida is confronted with a class-action lawsuit regarding an October 2021 cyberattack that caused the theft of the personally identifiable information (PII) and protected health information (PHI) of approximately 350,000 patients.

BioPlus Specialty Pharmacy Services in Altamonte Springs, FL mentioned a hacker acquired access to its network between October 25, 2021 and November 11, 2021, and throughout that period looked at information comprising sensitive patient data. A computer forensics company looked into the case and confirmed the compromise of patient information. Considering that it cannot be known how many people were impacted, the healthcare provider made the decision to mail breach notification letters to the 350,000 individuals on December 10, 2021, which is a month after the discovery of the data breach.

Information likely breached in the attack contained names, birth dates, contact data, Social Security numbers, medical record numbers, medical insurance and claims details diagnoses, and medication data. Impacted persons were given a complimentary one-year membership to credit monitoring services.

At the end of December, BioPlus patient Bonnie Gilbert together with her lawyers sent in a lawsuit in the U.S. District Court of the Middle District of Florida claiming that BioPlus had breached the Health Insurance Portability and Accountability Act (HIPAA) by its inability to protect the confidentiality, availability and integrity of its patients’ PHI.

The legal action claims negligence for not being able to keep good data security measures, failing to use industry-standard data security strategies, and failing to employ reasonable care in the selection and administration of its staff and providers. The lawsuit furthermore alleges BioPlus failed to discover the attack and the exfiltration of sensitive files from its system and mailed overdue breach notices. The lawsuit states that if there had been a reasonable amount of care undertaken and correct data security procedures were set up, the attack might have been noticed quicker and/or averted.

The lawsuit states the plaintiff and class members have encountered a number of actual and impending damages due to the data breach, such as the stealing of their PII and PHI, violation of privacy, a decline in their PII and PHI’s economic value, emotional stress, and a considerable current and future danger of identity theft and financial scams, in addition to incurring costs seeking to abate and manage the outcomes of the security breach.

The lawsuit wants a jury trial, class action certification, declaratory relief, injunctive relief, and financial compensation. Morgan & Morgan and Markovits, Stock, & DeMarco LLC act on behalf of the plaintiff.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at