Massive Cyberattack Leads to Class Action Lawsuit Against Vendor Chain Avamere

Lawyers representing a potentially large group of residents and staff at retirement home giant Avamere Holdings have announced they have filed a class action lawsuit accusing the long-term care provider of failing to protect its residents and staff from a massive cyberattack.

The operator is facing the class action lawsuit over a data breach that allegedly affected more than 380,000 people at the company’s 96 healthcare sites. Plaintiffs’ attorneys also questioned why the company initially reported a smaller number of potential victims (200,000).

The Wilsonville, OR-based company operates skilled nursing facilities and senior living communities throughout the West. The breach reportedly affected facilities in Oregon, Washington, Arizona, Colorado, Nevada and Utah.

A company representative said they were just being careful when notifying potentially affected people.

“Out of an abundance of caution, Avamere Health Services recently notified certain individuals whose information was included in a security incident involving unauthorized access to a third-party hosted network used by Avamere,” said Kevin Hill, Avamere’s general counsel. McKnight Long Term Care News. “While we cannot comment on pending litigation, we remain committed to protecting the privacy and security of personal information.”

Portland attorney Nick Kahl filed the lawsuit Aug. 24 on behalf of a former Avamere employee. The lawsuit alleges “Avamere’s inability to protect its computer systems from unauthorized access by cybercriminals” despite numerous industry warnings and prior violations.

The lawsuit also alleges that Avamere waited more than two months to notify people of the breach, which included stealing names, birth dates, addresses, social security numbers, lab results and information about medical conditions and medications, according to the company.

An unauthorized person gained access to a network hosted by a third-party Avamere between January 19 and March 17, 2022, according to the HIPAA Review, a privacy publication. The breach was eventually discovered by Avamere on May 18; the victims were notified on July 13.

Kahl’s lawsuit claims victims’ personal information “is susceptible to being sold to criminals on the dark web, meaning unauthorized parties have accessed and viewed their unencrypted and unredacted information, including names. , addresses, email addresses, birth dates, social security numbers, bank account information, private health information, and more.

He added that these victims suffered “losses in the form of the loss of the value of their private and confidential information, the loss of the benefit of their contractual bargain, the disbursements and the value of their time reasonably incurred in remedying or mitigate the effects of the attack”.

“Out of an abundance of caution, Avamere Health Services recently notified certain individuals whose information was included in a security incident involving unauthorized access to a third-party hosted network used by Avamere,” said Kevin Hill, Avamere’s general counsel. McKnight Long Term Care News. “While we cannot comment on pending litigation, we remain committed to protecting the privacy and security of personal information.”

Avamere had previously claimed to have taken steps to improve the protection of its data following the breach. He also encouraged people to call a hotline for more information and offered free credit monitoring services and best practices for protecting their information.

Another cyberattack

Around the same time that legal proceedings were beginning in the Avamere case, the Department of Health and Human Services warned of another potentially massive cyberattack threatening healthcare providers.

Dubbed “Karakurt” by the agency’s Cybersecurity Coordination Center, the ransomware group has attacked at least four unidentified vendor organizations over the past three months. These observed attacks included an assisted living community, a dental company, a supplier and a hospital.

Karakurt actors usually claim to steal data and threaten to auction it off on the dark web or make it public unless their demands are met. Ransoms range from $25,000 to $13 million in Bitcoin with time frames often set to expire in just one week.