leiters data breach

Leiters Inc. Data Breach Class Action Investigation

‣ Leiter’s computer network hacked
‣ Personal Information from Prescription Drug Orders May Be at Risk

On May 23, 2022, Leiters, Inc., a pharmacy based in Englewood, Colorado that provides specialized “compounded” prescription medications by mail-order, reported a data breach involving sensitive personal information from its mailed prescription orders. This breach took place between April 6-8, 2022.

According to the company, on April 11, 2022, Leiters “identified unauthorized activity involving [its] computer systems.” After further investigation, it was determined that an unauthorized person accessed Leiter’s computer network and obtained files from the system.

The stolen files involved invoice information about mailed prescription orders placed between 2016 and 2019, and may include:

  • Customer Names
  • Addresses
  • Phone Numbers
  • Invoice Numbers
  • Prescription Information, and
  • Debit and Credit Card Information – the last four digits exposed and the expiration date

The full text of a sample of the Leiters’ Notice of Data Breach can be found here.

California Privacy Laws Protect You

If you are a California resident and received prescription medications from Leiters, several laws, including the California Confidentiality of Medical Information Act (CMIA), require that every company that maintains medical information do so in a manner that reasonably preserves its confidentiality, protecting it from unauthorized access.

Under the CMIA, if you received a recent Notice of Data Breach from Leiters and are or were a California resident, you may be entitled to $1,000 and your actual damages resulting from the release of your confidential information.

Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices in place to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.

Pharmaceutical Records Are Highly Attractive Targets for Cyber-Criminals

Identity theft is on the upswing. By 2021, there were over 50 million personal records compromised nationwide.

Even Equifax and Experian, which are in the business of offering credit monitoring services, have experienced massive data breaches affecting over 150 million people.

The pharmacy and pharmaceutical industry have seen a significant increase in data breaches in the past few years.

According to data risk protection group, Constella Intelligence, from January 2018 to September 2021, pharmaceutical companies experienced 9,830 breaches and leakages, exposing over 4.5 million records from the companies analyzed.[1] Approximately 64% of the breaches and leakages contained personally identifiable information, like here most often including email, password, name, username, phone number, address, date of birth, and credit card information.[2]

As data held by these companies is particularly sensitive, these cyber thieves recognize the havoc they can cause by stealing medical information. And when data such as medical records are stolen, cyber thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.

Therefore, it is important for companies such as Leiters to be proactive and vigilant about eliminating or reducing their risk for attacks and to meet their health data breach notification obligations to protect the public.[3]

Once you know your data has been disclosed, it is reasonable to be concerned that your data might be used. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.



[1] Constella Intelligence, Pharma Sector Exposure Report 2018-2021 Digital Risk Findings and Trends (2022).

[2] same

[3] See R. Bonta, California Attorney General, BULLETIN: Obligation to Proactively Reduce Vulnerabilities to Ransomware Attacks and Requirements Regarding Health Data Breach Reporting (2021).