A lawsuit has been filed against Wilsonville-based Avamere Holdings for a data breach affecting 96 senior living facilities and involved the release of the protected health information of over 380,000 individual. On July 7th, Avamere Health services, a business associate of Avamere holdings, notified affected individuals of the data breach.
In the period between January 19, 2022 and March 17, 2022, an unauthorized third-party had gained access to the home healthcare service provider’s networks and removed files containing sensitive patient information. Upon discovery, an immediate forensic was launched in collaboration with a cybersecurity firm to determine what files had been removed and how the networks were accessed. Following the investigation, the healthcare provider concluded that the files exfiltrated from the organization’s network included information regarding patient’s full names, addresses, birth dates, driver’s license or state identification numbers, Social Security numbers, claims information, financial account numbers, medications information, lab results, and medical condition information. Although the attack’s nature was not publicly disclosed, a ransomware organization claimed responsibility for it and posted part of the material that was taken to their data leak site.
A breach report was then submitted to the Department of Health and Human Services claiming the breach affected just 200,000 individuals. However, breach notifications submitted independently by companies affected by breach indicated a far greater number. Avamere Holdings also notified potentially affected individuals via a breach notification letter. Within the letter, Avamere offers credit monitoring services free of charge along with a list of best practices to take to protect their information such as remaining vigilant on account statements and credit reports.
However, despite the benefits offered by Avamere Holdings, a class-action lawsuit was filed on behalf of all individuals who had their personal information exposed. The lawsuit claims that Avamere Holdings failed to adequately secure patient information in order to prevent malicious actors from gaining access. Additionally, the lawsuit claims the healthcare provider failed to notify affected individuals in a timely manner. As a result, affected individuals now face a greater risk to identity theft and fraud. The plaintiff requests cash reimbursements for the loss of value of their information, out-of-pocket expenses, and loss of benefit of their contractual bargain.
Avamere Holdings has apologized for the data breach and requested individuals who have questions or seek additional information regarding the breach to contact the organization. The organization has also implemented several security measures to reduce the risk of an attack of this nature occurring again.