An Ohio long-term care healthcare company has been named in a class-action lawsuit over an October cyberattack in which hackers claim they accessed a trove of data on about 80,000 people.
The lawsuit alleges that CareSpring Health Care Management neglected cybersecurity despite federal law enforcement warnings that bad actors were targeting health care companies. Martin Kreutz of Dayton, Kentucky, filed the lawsuit on behalf of himself and alleged current and former clients and patients who provided their confidential information to CareSpring.
CareSpring has 17 senior living, skilled nursing and rehabilitation facilities in Cincinnati, Dayton, Ohio and Northern Kentucky. The company said: McKnight The company said on Tuesday that appropriate measures had been taken after the breach was discovered and that there was no evidence that the leaked data had been misused.
The lawsuit charges that CareSprings’ “unreasonable and inadequate data security practices” put Kreutz and others at “an ongoing risk of identity theft.” It further alleges that the individuals suffered “numerous actual and tangible injuries and damages.”
CareSpring could have prevented the data breach by “adequately securing and encrypting its systems containing the personal information of Plaintiffs and Plaintiff Class Members,” and could have proactively destroyed the data, especially of people with whom it had not done business for a long time, the lawsuit alleges.
The lawsuit alleges that CareSpring “became aware of suspicious activity” within its network in late October 2023 but did not send notice to affected individuals – current or former employees – until this month.
CareSpring said in a statement that details of the timeline were a bit more nuanced. McKnight on tuesday.
Carspring explained that the company learned of the data breach on Oct. 28, 2023, notified law enforcement and launched a “thorough” investigation. The company posted a notice of the incident on its website on Nov. 17, 2023, and set up a toll-free number to answer consumer questions, the statement added.
On July 16, the company announced that it had conducted an “extensive forensic investigation and manual review of affected documents” and found that a “limited amount” of data stored on its network, including Social Security numbers, medical information, health insurance information, and credit card numbers, “may have been accessed.”
The company said there was “no indication that fraud occurred in this incident,” adding that “out of an abundance of caution” it sent letters on August 15 to people who may have been affected.
The lawsuit claims that a ransomware group called NoEscape is responsible for the breach, claiming to have stolen 364 gigabytes of data. According to a notice sent by CareSpring to the Maine Attorney General, the breach affected 76,719 people.
