Shamis & Gentile P.A., one of the nation's premier class action law firms specializing in data breach cases, is investigating the Morton Drug Company data breach.
If you were affected by the data breach, your sensitive personally identifiable information may have been exposed, and you may be eligible for compensation.
About Morton Drug Company
Morton Drug Company is an independent, family-owned pharmacy based in Neenah, Wisconsin. Founded in 1932, the company has a long history of providing pharmacy solutions, especially to long-term care providers.
Morton Drug Company offers its customers the expertise of directly employed consultant pharmacists, supported by modern technology and a dedicated customer service team.
What happened?
On or about Aug. 20, 2025, Morton Drug Company discovered a network security incident that impacted its IT systems. The company immediately engaged third-party cybersecurity experts to assess, contain and remediate the situation, and law enforcement was also notified.
After a thorough investigation, which concluded around Oct. 21, 2025, Morton Drug Company determined that both personally identifiable information (PII) and protected health information (PHI) were compromised. So far, the breach has impacted at least 40,051 people in the U.S.
Possible Information Exposed
Names
Addresses
Medical information
Social Security numbers
The company posted a notice of data security incident on its website on Nov. 7, 2025, and disclosed the breach
Source: https://www.claimdepot.com/investigations/morton-drug-data-breach-2025
Morton LTC cybersecurity rating report: https://www.rankiteo.com/company/morton-ltc
"id": "MOR1764807261",
"linkid": "morton-ltc",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '40,051',
'industry': 'Healthcare/Pharmaceutical',
'location': 'Neenah, Wisconsin, USA',
'name': 'Morton Drug Company',
'size': None,
'type': 'Pharmacy'}],
'customer_advisories': 'Notice of data security incident posted '
'on company website',
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': '40,051',
'personally_identifiable_information': ['Names',
'Addresses',
'Social '
'Security '
'numbers',
'Medical '
'information'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally '
'identifiable '
'information (PII)',
'Protected health '
'information '
'(PHI)']},
'date_detected': '2025-08-20',
'date_publicly_disclosed': '2025-11-07',
'date_resolved': '2025-10-21',
'description': 'Morton Drug Company discovered a network '
'security incident that impacted its IT systems, '
'leading to the exposure of personally '
'identifiable information (PII) and protected '
'health information (PHI). The breach affected at '
'least 40,051 people in the U.S.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Personally identifiable '
'information (PII) and protected '
'health information (PHI)',
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High',
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'IT systems'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Concluded',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': '2025-11-07',
'source': 'Morton Drug Company Notice of Data '
'Security Incident',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Notice of data security '
'incident posted on '
'company website',
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes',
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': 'Cybersecurity experts '
'engaged'},
'title': 'Morton Drug Company Data Breach Investigation',
'type': 'Data Breach'}