Provider facing class action suits for major data breach

John Roszkowski

System hacked warning alert on notebook (Laptop). Cyber attack on computer network, Virus, Spyware, Malware or Malicious software. Cyber security and cybercrime. Compromised information internet.

October 8, 2024

An Ohio-based long-term care provider is facing three federal class action lawsuits for a major data breach that may have affected tens of thousands of residents.

Carespring Health Care Management, which provides skilled nursing care, assisted living, independent living, memory care and rehabilitative services at 17 locations in Ohio and northern Kentucky, was targeted in an October 2023 cyberattack. Cybercriminals allegedly gained access to the personal information of nearly 77,000 people, including birth dates, Social Security numbers, medical information, financial information and other private data.

The lawsuits were filed in late August in US District Court for the Southern District of Ohio by Martin Creutz of Kentucky, Phyllis Rice of Ohio, and Bonnie E. Cogswell of Kentucky on behalf of themselves and other Carespring residents and individuals whose data was compromised. They allege the company failed to use proper safeguards to protect against data breaches and failed to provide prompt notification of the hacking incident to the affected individuals.

When the company first learned of the data breach on Oct. 28, 2023, it alerted law enforcement and began a “thorough” investigation, Carespring told McKnight’s Long-Term Care News. On Nov. 17, 2023, the company posted an incident notice on its website and set up a toll-free phone number to answer consumer questions.

Following an extensive forensic investigation and manual document review, the company said it discovered on July 16 that “a limited amount” of personal data may have been accessed in the data breach. It said it mailed letters on Aug. 15 to people who may have been impacted “out of an abundance of caution.”

“We have no indication that there has been any fraud as a result of this incident,” the company stated.

A ransomware group known as NoEscape has claimed responsibility for the data breach and claims to have stolen about 364 gigabytes of patient and customer data from Carespring’s network, according to the suit.

From the october 2024 Issue of McKnight's Long-Term Care News