Avalon Healthcare, Morley Companies Reach Healthcare Data Breach Settlements

January 05, 2023 - Avalon Healthcare Management and Morley Companies each reached healthcare data breach settlements recently following large-scale data breaches. Lawsuits and state-level enforcement actions in the aftermath of a high-profile or high-impact breach are becoming more common as breaches continue to affect the healthcare sector.

For example, Scripps Health recently reached a proposed settlement of $3.5 million after a 2021 ransomware attack that impacted 1.2 million individuals.

Many healthcare entities and plaintiffs agree to settlements rather than going through a lengthier court proceeding, as exemplified by the two recently settled cases detailed below.

Morley Companies Reaches $4.3M Settlement

Morley Companies, a provider of business services to many companies, including healthcare organizations, reported a breach to HHS in February 2022 that impacted more than 521,000 individuals, ranging from current and former employees to clients.

In its original notice, Morley stated that its “data became unavailable” in August 2021 and later discovered that “data may have been obtained from its digital environment.”

Names, Social Security numbers, client identification numbers, medical treatment information, health insurance information, and birth dates were involved in the incident.

The breach resulted in multiple complaints, which were later consolidated into a class action lawsuit. The lawsuit described the incident as a “ransomware-type malware” attack.

Morley agreed to a $4.3 million settlement. Impacted individuals may be eligible to receive up to $2,500 for out-of-pocket expenses, as well as $20 per hour (maximum of four hours) for lost time.

Class members may also receive three years of free credit monitoring and one year of password management services. California residents may also receive a $75 cash payment due to California privacy laws.

Avalon Healthcare Management Settles Data Breach Enforcement Case

Oregon Attorney General Ellen Rosenblum and Utah Attorney General Sean Reyes announced that they reached a $200,000 settlement with Avalon Healthcare Management stemming from a 2019 data breach. Avalon Healthcare Management is part of Avalon Health Care Group, which provides skilled nursing and assisted living services in six states.

In 2019, Avalon disclosed a breach that impacted the personal information and protected health information (PHI) of 14,500 Avalon employees and patients. The breach occurred after an employee fell victim to an email phishing scam. Avalon notified impacted individuals of the breach approximately 10 months later.

“A joint investigation ensued, focusing on Avalon’s email security practices and compliance with the Health Insurance Portability and Accountability Act (HIPAA) and state breach notification statutes,” the announcement noted.

“Under Oregon law, a company should give notice of a breach of security in the most expeditious manner, but no more than 45 days after discovering the breach of security.”

In addition to the $200,000 settlement, which will be split equally between the states of Utah and Oregon, Avalon agreed to develop and maintain additional data security practices designed to strengthen its information security program.

“Companies, like Avalon, that retain consumers’ protected health information, have a duty to keep this data safe from unauthorized access,” Rosenblum said.

“Avalon dealt with the personal health-related information of some of our most vulnerable residents. Close to 2000 Oregonians assumed—incorrectly—their information was safe with Avalon. Data breaches continue to be a problem in Oregon, and we are committed to working with companies to make sure they have the highest data privacy safeguards in place.”