An Ohio healthcare company that provides long-term care services has been named in a class-action lawsuit over an October cyber attack in which hackers claim to have accessed a massive trove of data on nearly 80,000 people.
The suit alleges that Carespring Health Care Management was negligent about its cybersecurity, despite warnings from federal law enforcement agencies that bad actors were targeting healthcare companies. Martin Creutz of Dayton, KY, filed the suit on behalf of himself and others who are described as current and former clients and patients who provided sensitive information about themselves to Carespring.
Carespring has 17 senior living, skilled nursing, and rehabilitation locations in Cincinnati; Dayton, OH; and Northern Kentucky. The company told McKnight’s Tuesday that proper steps were taken once the breach was discovered and that there have been no signs of abuse of the compromised data.
The complaint blames Caresprings’ alleged “unreasonable and inadequate data security practices” put Creutz and others “current and ongoing risk of identity theft.” In addition, the suit claims individuals have suffered “numerous actual and concrete injuries and damages.”
Carespring could have prevented the data breach by “properly securing and encrypting the systems containing the Private Information of Plaintiff and Class Members.” The company also could have pre-emptively destroyed the data, especially for people it had not business with for a long time, the filing claims.
The suit alleges that Carespring “became aware of suspicious activity” in its network in late October 2023 but did not send notices to any affected individuals — current or former — until this month.
Full details of the timeline are a bit more nuanced, Carespring said in a statement sent to McKnight’s on Tuesday.
The company learned of the data breach on Oct. 28, 2023, alerted law enforcement, and began a “thorough” investigation,” Carspring explained. On Nov. 17, 2023, the company posted an incident notice on its website and set up a toll-free phone number to answer consumer questions, the statement added.
A “thorough forensic investigation and manual review of the impacted documents” ensued, and showed that a “limited amount” of data such as Social Security numbers, medical information, health insurance information, and credit card numbers that were stored on the company’s network “may have been accessed,” the company said on July 16.
“We have no indication that there has been any fraud as a result of this incident,” the company noted, adding that “out of an abundance of caution,” it mailed letters on Aug. 15 to people who may have been impacted.
A ransomware group called NoEscape took credit for the breach and claimed to have stolen 364 gigabytes of data, the lawsuit states. Carespring’s notification to the Maine Attorney General said 76,719 people were impacted by the breach.
