Avamere Holdings based in Wilsonville, OR, a provider of home health care services and operator of a nursing home, is dealing with a class action lawsuit due to a serious data breach that impacted 96 senior living and healthcare establishments that led to the compromise of the protected health information (PHI) of over 380,000 persons.
The breach happened at Avamere Health Services, which is Avamere Holdings’ business associate that delivers IT services. An unauthorized person gained access to the system of Avamere Health Services from January 19, 2022 to March 17, 2022, and extracted files that contain PHI. Although there is no disclosure concerning the nature of the attack, a ransomware gang claimed responsibility for the attack and published part of the stolen information on its data leak website.
The breach report was submitted to the Department of Health and Human Services as impacting 197,730 persons, though a number of the companies impacted by the breach, like Premere Infinity Rehab, sent their own breach notification letters. About 380,984 people are known to have been impacted by the data breach in over 80 affiliated firms. Avamere Holdings has provided the impacted persons with free credit monitoring services.
Attorney Nick Kahl from Portland, OR filed the class action lawsuit on behalf of Kimberly Harvey Perry, an ex-employee of Avamere, whose sensitive personal data was compromised in the data breach. The lawsuit claims Avamere Holdings did not employ sufficient security measures to stop cybercriminals from being able to access and steal sensitive employee information, in spite of knowing the risk of cyberattacks because of a lot of industry alerts.
The lawsuit additionally has a problem with the delay in sending notifications to impacted persons. The breach was discovered on or about March 17, 2022, yet Avamere only sent the notification to the impacted persons on July 13, 2022. The lawsuit claims the cybercriminals hold the sensitive data of the plaintiff and class members, such as their names, contact details, Social Security numbers, bank account data, and medical data and they currently face an impending and future danger of identity theft and fraud.
The plaintiff and class members claimed to have experienced the loss of benefit of their contractual bargain, loss of value of their private data, and out-of-pocket expenditures while mitigating the consequences of the attack and keeping themselves safe from identity theft and fraud.