Nursing Home Provider Carespring Health’s Data Breach Impacted 67,000 Residents, Lawsuit Alleges

Amid rising cybersecurity risks at nursing homes, a data breach at Carespring Health Care Management led to the theft of private health information belonging to up to 67,000 individuals. 

Carespring suffered a cyberattack from the ransomware group NoEscape last October, resulting in the theft of 364 gigabytes of data, according to a complaint filed last week in the U.S. District Court for the Southern District of Ohio.

While the breached information varies from individual to individual, it may include name, address, date of birth, Social Security number, medical information, health insurance information, and medical diagnosis information.

Advertisement

The lawsuit contends that Carespring failed to adhere to industry security standards, leaving its sensitive information poorly encrypted and exposed to vulnerable networks. The proposed class action seeks damages.

“[Carespring] knew, or reasonably should have known, of the importance of safeguarding the Private Information of Plaintiff and Class Members and the foreseeable consequences that would occur if Defendant’s data security system was breached, including, specifically, the significant costs that would be imposed on Plaintiff and Class Members as a result of a breach,” the court filing states.

The filing also calls out Carespring for delaying sending notices of the data breach until August 15, 2024, despite knowledge of the cyberattack by October 28, 2023.

Advertisement

“[Carespring’s] data security obligations were particularly important given the substantial increase in cyberattacks and/or data breaches in the healthcare industry preceding the date of the breach, the lawsuit states.

The lead plaintiff in the lawsuit, the husband of a resident at Carespring, now faces a current and ongoing risk of identity theft as result of the stolen information, the filing states.

“Plaintiff suffered lost time, annoyance, interference, and inconvenience as a result of the Data Breach and has anxiety and increased concerns for the loss of his privacy,” the lawsuit states.

The lawsuit also alleges that the attack was “foreseeable” given the high level of attacks in the health care sector, and Carespring should have taken steps to bolster its security.

Cybersecurity attacks have become increasingly common in the health care sector, with the World Economic Forum reporting that the health care sector experienced a jump of 22% in the first quarter of 2023, with an average of 1,684 attacks per week. The health care industry suffered the most expensive data breaches as well, at an average cost of $10.93 million, the organization said.

Meanwhile, Skilled Nursing News has also reported on the impact on nursing homes from these attacks, especially from the escalating insurance costs tied to cybersecurity breaches.

Carespring is based in Ohio, and provides services for skilled nursing, rehabilitation, independent living, assisted living, hemodialysis nursing care, and memory care at its facilities.