Settlement Reached in Hi-School Pharmacy Data Breach

A $600 000 proposed settlement has been reached in a cybersecurity/data breach class action case against Hi-School Pharmacy.

Just the Facts

The complaint against Hi-School Pharmacy, an independently owned and operated drugstore, garden center, and hardware chain based in Washington State, was filed in early 2024, alleging that a data breach in November 2023 had affected the protected health information (PHI) of over 17 000 people. The sensitive personal information that was illegally accessed included Social Security numbers, names, and dates of birth.

The class, composed of both current and former employees of the chain, was notified in December 2023 that a data breach security incident had occurred. Plaintiffs alleged that the data had been unencrypted and not stored in accordance with established security protocols. They accuse the chain of failing to use reasonable security procedures and practices appropriate to the nature of the sensitive information it was supposed to be protecting.

The plaintiffs’ complaint included a comprehensive list of measures that the chain should have implemented in order to prevent a breach. These measures included implementation of an awareness and training program, strong spam filters to prevent phishing emails, firewalls to block known malicious IP addresses, and regular scanning via antivirus and antimalware programs, among others.

Plaintiffs further alleged that Hi-School Pharmacy requires employees to provide sensitive information, including Social Security numbers, as a condition of employment, yet failed to adequately protect that information. The lawsuit claimed that the company was handling the PHI in a reckless manner and that the cyberattack was thus both foreseeable and preventable.

The Settlement

In March 2025, the US District Court for the Western District of Washington gave preliminary approval for a settlement in the case. To receive the settlement, class members must submit a claim form online via a court-approved settlement website.

Plaintiffs can receive up to $5000 in reimbursement for out-of-pocket expenses incurred as a result of the data breach. Claim forms with documentation are required for payment. Plaintiffs can also submit a claim form to receive 2 years of identity theft and credit monitoring services.

A hearing is scheduled for July 2025 for the court to give final approval of the settlement.

The Takeaway

It is essential to protect the personal identifiable information of both employees and patients from cyberattacks and hackers. Organizations that fail to implement adequate security protocols may face significant legal and financial consequences. Ensure that security protocols are in place to safeguard sensitive information which could be misused.

References

Shayna Marie Landin v Hi-School Pharmacy Services LLC; Hi-School Pharmacy, Inc. No 3:24-cv-05115-TMC. The United States District Court for the Western District of Washington Tacoma Division; 2025. https://www.classaction.org/media/landin-v-hi-school-pharmacy-services-llc-et-al-motion-for-preliminary-approval.pdf

Shayna Marie Landin v Hi-School Pharmacy Services, LLC; Hi-School Pharmacy, Inc. Class Action Complaint. The United States District Court for the Western District of Washington Tacoma Division; 2025. https://www.classaction.org/media/landin-v-hi-school-pharmacy-services-llc-et-al.pdf