Recently, Avamere Health Services, LLC (“Avamere Living”) confirmed that the company experienced a data breach impacting sensitive information belonging to certain employees. While Avamere has yet to publicly confirm the type of data compromised in the recent breach, it has made free credit monitoring available to affected employees, meaning the leaked information was likely personal or financial in nature. On June 17, 2022, Avamere Health Services began sending data breach notifications to those impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Avamere Living data breach, please see our recent piece on the topic here.
What We Know About the Avamere Living Data Breach
According to an official notice filed by the company, Avamere recently learned that an unauthorized party gained “intermittent access” to the company’s servers between the dates of January 19, 2022 and March 17, 2022. After learning about the incident, Avamere launched its own investigation, along with the assistance of third-party cybersecurity experts. This investigation confirmed the unauthorized access, and, on May 18, 2022, Avamere was able to identify those employees whose information was leaked.
Notably, Avamere has not publicly released what data types were breached. However, on June 17, 2022, Avamere Living sent out data breach letters to all individuals whose information was compromised, explaining the incident as well as what specific data was compromised.
Avamere Health Services, LLC is a group of affiliated companies, all of which provide either skilled nursing or senior living options to residents and patients. Avamere was initially founded as Avamere Rehabilitation of Hillsboro in Oregon in 1995 and has since grown to operate facilities in 20 states, including those in Washington, Oregon, Nevada, Utah, Arizona, New Mexico, Nebraska and Colorado. Avamere Living employs more than 8,100 people and generates approximately $907 million in annual revenue.
Can Employers Be Held Accountable for Data Breaches Affecting Their Employers?
Yes, employers may be able to be held liable through a data breach class action lawsuit following a data breach affecting its employees. However, the fact that a data breach occurred does not necessarily mean that a company will be financially accountable. Typically, to succeed in a data breach case against an employer, employees must prove both that the company was negligent and that they suffered harm as a result of the incident.
As is the case with most cases brought under the legal theory of negligence, proving a data breach claim requires employees to prove, 1.) the company owed them a duty of care, 2.) the company violated the duty owed to employees, and 3.) The company’s breach of this duty caused or contributed to the data breach.
Proving employer negligence in the context of a data breach lawsuit is not always straightforward. While all employers owe a duty to keep employees’ personal, financial and healthcare-related information safe, whether a company violated that duty is often disputed. So too is the “causation” element of the claim, as employers routinely point to the fact that data breaches are the result of third-party criminal actions.
However, just because a criminal actor breached an employer’s systems doesn’t mean that an employer is not responsible. Employers have a legal duty to implement adequate data security systems to protect employee data. And whether an employer’s data-security measures are sufficient can be called into question.
When it comes to establishing the “damages” element of a data breach lawsuit, the most common harms are identity theft and other frauds. However, importantly, courts have held that data breach victims do not need to actually experience identity theft or fraud to recover damages; the increased risk of identity theft in the future is sufficient to recover damages.
Victims of a data breach involving their employer should reach out to a dedicated data breach lawyer for assistance.