This article has been updated with comment from Avamere.
Oregon-based nursing home giant Avamere faces a class-action lawsuit over a data breach believed to have affected more than 380,000 people.
The breach, reported in July, took place months before that — between Jan. 19 and March 17, 2022 — and reportedly affects patients as well as employees who are affiliated with more than 80 companies that are part of Avamere Holdings. It affected nearly 100 facilities.
Hackers stole data that included names, birth dates, addresses, social security numbers, lab results and information about medical conditions and medication, according to the company. While the company initially reported a smaller number of those affected, less than 200,000 people, the figure has since grown, according to the HIPAA Journal, a respected industry publication.
Asked for comment, Kevin Hill, who serves as general counsel for the firm, told The Lund Report in an email that “Although we cannot comment on any pending litigation, we remain committed to protecting the privacy and security of personal information.”
The Wilsonville-based company operates skilled nursing and senior living facilities in states around the West. The breach reportedly affected facilities located in Oregon, Washington, Arizona, Colorado, Nevada and Utah.
Portland lawyer Nick Kahl filed the lawsuit on Aug. 24 on behalf of a former Oregon employee of Avamere, Kimberly Harvey Perry, and other people affected. It faults “Avamere’s failure to protect its computer systems from unauthorized access by cybercriminals” despite numerous industry warnings and earlier breaches.
It also claims Avamere knew of the breach by May 18 and faults the company for waiting until July 13 to notify potential victims. It says their personal information is “likely for sale to criminals on the dark web, meaning that unauthorized parties accessed and viewed their unencrypted, unredacted information, including names, addresses, email addresses, dates of birth, Social Security numbers, bank account information, private health information, and more.”
The suit claims that victims of the breach suffered “losses in the form of loss of the value of their private and confidential information, loss of the benefit of their contractual bargain, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.”
An earlier release by Avamere said that following the breach, the company took steps to improve its data protection. It also encouraged people to call a hotline for more information: (833) 909-4422.
“Out of an abundance of caution, Avamere notified individuals whose information was included in the impacted files and folders. Notified individuals have been provided complimentary credit monitoring services as well as best practices to protect their information, including but not limited to reviewing the explanation of benefits statements they receive from their health insurance providers and following up on any items or services not recognized.”
You can reach Nick Budnick at [email protected] or at @NickBudnick on Twitter.
