A data breach at Caresping Health Care Management led to the personal health information of up to 67,000 people being stolen amid growing cybersecurity risks for care homes.
According to a complaint filed last week in the U.S. District Court for the Southern District of Ohio, CareSpring was hit by a cyberattack by ransomware group NoEscape in October, which led to the theft of 364 gigabytes of data.
The information exposed will vary by individual but may include names, addresses, dates of birth, Social Security numbers, medical information, health insurance information, and medical diagnosis information.
The lawsuit alleges that CareSpring failed to comply with industry security standards, resulting in sensitive information not being properly encrypted and exposed over vulnerable networks. The proposed class action lawsuit seeks damages.
“[Carespring] “Defendants knew, or should have reasonably known, the importance of protecting Plaintiffs’ and Plaintiffs’ Constituents’ personal information and the foreseeable consequences that would result if Defendants’ data security systems were breached, specifically the significant costs that would be incurred by Plaintiffs and Plaintiffs’ Constituents as a result of the breach,” court documents state.
The complaint also accuses CareSpring of delaying notifying the company of the data breach until Aug. 15, 2024, despite being aware of the cyberattack by Oct. 28, 2023.
“[Carespring’s] The lawsuit states that the data security obligations were especially important given the significant increase in cyberattacks and data breaches in the healthcare industry prior to the data breach date.
The husband of a CareSpring resident, who is the lead plaintiff in the lawsuit, now faces an ongoing risk of identity theft as a result of the stolen information, the complaint states.
“As a result of the data breach, Plaintiffs have suffered loss of time, inconvenience, disruption and inconvenience, and have experienced heightened anxiety and concerns about loss of privacy,” the lawsuit states.
The lawsuit also claims that the attack was “foreseeable” given the frequency of attacks in the healthcare sector, and that CareSpring should have taken steps to strengthen security.
Cybersecurity attacks are becoming increasingly common in the healthcare sector, with the World Economic Forum reporting that the sector will see a 22% increase in attacks in the first quarter of 2023, averaging 1,684 attacks per week. The healthcare industry was also the most costly to sustain from data breaches, with an average loss of $10.93 million, the organization said.
Meanwhile, Skilled Nursing News has also reported on the impact these attacks, particularly the rising insurance costs associated with cybersecurity breaches, are having on nursing homes.
Carespring is based in Ohio and provides skilled nursing, rehabilitation, independent living, assisted living, hemodialysis nursing and memory care services in its facilities.
