HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Avamere Holdings Facing Class Action Lawsuit Over 2022 Cyberattack

The Wilsonville, OR-based home health care service provider and nursing home operator, Avamere Holdings, is facing a class action lawsuit over a major data breach that affected 96 senior living and healthcare facilities and resulted in the exposure of the protected health information of more than 380,000 individuals.

The breach occurred Avamere Health Services – a business associate of Avamere Holdings that provides information technology services. An unauthorized individual had access to the network of Avamere Health Services between January 19, 2022, and March 17, 2022, and exfiltrated files containing protected health information. While the nature of the attack was not disclosed, a ransomware group claimed credit for the attack and uploaded some of the stolen data to its data leak site.

The breach was reported to the Department of Health and Human Services as affecting 197,730 individuals, although some of the companies affected by the breach, such as Premere Infinity Rehab, issued their own breach notifications. At least 380,984 individuals are understood to have been affected by the data breach across more than 80 affiliated companies. Avamere Holdings has offered affected individuals complimentary credit monitoring services.

The class action lawsuit was filed by Portland, OR-based attorney, Nick Kahl, on behalf of a former Avamere employee, Kimberly Harvey Perry, who had her sensitive personal information exposed in the data breach.  The lawsuit alleges Avamere Holdings failed to implement adequate security measures to prevent cybercriminals from accessing and stealing sensitive employee data, despite being aware of the threat of cyberattacks due to many industry warnings.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit also takes issue with the delay in issuing notifications to affected individuals. The breach was detected on or around March 17, 2022, yet Avamere waited until July 13, 2022, to issue notifications to affected individuals. The lawsuit alleges the sensitive information of the plaintiff and class members is now in the hands of cybercriminals, including their names, contact information, Social Security numbers, bank account information, and health information and they now face an imminent and future risk of identity theft and fraud.

The plaintiff and class members are alleged to have suffered the loss of value of their private information, loss of benefit of their contractual bargain, and out-of-pocket expenses mitigating the effects of the attack and protecting against identity theft and fraud.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.