Ex-Employee Alleges Health Entity Neglected SecurityProposed Class Action Comes in Wake of Big Hacking Incident
A former employee of multistate senior living chain Avamere Health Services LLC has filed a proposed class action lawsuit accusing the organization of negligence in the wake of a hacking incident affecting her as well as 381,000 employees and patients.
See Also: Recovering From a Cyberattack, Responding to the OCR, and Building a Cyber Resilient Posture for the Future: A Conversation with OrthoVirginia CIO, Terri Ripley
The lawsuit filed on Aug. 24 in an Oregon state court by Kimberly Perry alleges that Avamere was reckless in safeguarding sensitive personal information, including by neglecting to destroy the data of former employees and patients.
Avamere failed to take steps to secure personally identifiable information and protected health information, such as encrypting data; monitoring systems; applying security updates and software patches; practicing the principle of least privilege; avoiding the use of domainwide, admin-level service accounts; and properly training employees, including on the handling of inbound email, the lawsuit alleges.
"Furthermore, once an employee was no longer employed by Avamere, or alternatively once a patient is no longer receiving services from Avamere, it had a duty to destroy the PII as soon as possible to prevent its misuse," the complaint alleges.
The lawsuit alleges Avamere underwent a ransomware attack although the company's public breach notification statement regarding the incident in question does not reference ransomware.
Individuals whose data was caught up in the attack now face heightened risk of fraud and identity theft, the lawsuit says.
Managing Legacy Data
Perry's allegation that Avamere failed to destroy the data of former employees and patients, resulting in their personal data being compromised, touches on a complicated area of data management.
Companies should maintain employee data for several years even after a worker leaves, says Matthew Bernstein, founder and information governance strategist of consulting firm Bernstein Data.
"Tax obligations, healthcare claims and labor practices are some of the reasons why employers may need information about their former employees for several years post-employment," he says. As with all business records, employee records should be retained for a reasonable amount of time. Six years should cover it, Bernstein says.
Privacy attorney Iliana Peters of the law firm Polsinelli offers a similar assessment, adding that all types of organizations - not just healthcare entities - should delete or securely destroy any data, including PII, PHI or proprietary data, when such data is no longer necessary for specific business purposes. That includes considerations for record retention requirements by state and federal laws.
Perry's lawsuit complaint does not indicate when she left Avamere's employment.
Security Improvements Sought
The lawsuit also accuses Avamere of breach of implied contract and unjust enrichment.
The lawsuit seeks a jury trial, damages and a court order compelling Avamere to improve its security practices.
An attorney representing Perry did not immediately respond to Information Security Media Group's requests for comment.
In a statement provided to ISMG, Kevin Hill, Avamere's general counsel, says the company cannot comment on pending litigation. "Out of an abundance of caution, Avamere Health Services recently notified certain individuals whose information was included in a security incident involving unauthorized access to a third-party hosted network utilized by Avamere," Hill says.
Avamere on July 13 reported to the Department of Health and Human Services' Office for Civil Rights a hacking incident involving a third-party network server and affecting nearly 198,000 individuals. Avamere in the breach notification statement posted on its website lists about 80 covered entity clients - mostly Avamere subsidiaries - affected by the incident (see: 2 Vendor Hacks Affect Nearly 1.5 Million and Counting).
In addition to Avamere's report to federal regulators about the incident, so far at least one of Avamere's covered entity clients not listed in Avamere's breach notification statement - Oregon-based Premere Rehab LLC, which operates under the name Infinity Rehab - separately reported the incident to HHS OCR as affecting an additional 183,000 individuals. That brings the total affected by the Avamere data breach to about 381,000 individuals.
The hacking incident, according to Avamere's breach notification statement, involved "intermittent unauthorized access" to a third-party-hosted network used by Avamere, which occurred between Jan. 19, and March 17. An investigation into the incident determined that an unauthorized party potentially removed "a limited number" of files and folders from the network, the statement says.
Affected information included full names, addresses, dates of birth, driver’s license or state identification numbers, Social Security numbers, claims information, financial account numbers, medications information, lab results, and medical diagnosis/conditions information.
Affected covered entities include Avamere senior living and healthcare facilities, such as hospices and assisted living facilities.