DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Oregon AG Rosenblum Settles with Avalon Healthcare over 2019 Data Breach

Posted on December 31, 2022 by Dissent

Although HHS OCR generally fails to take a hard enforcement line with reporting breaches by the “no later than 60 day” rule in HIPAA, state attorneys general may enforce even stricter deadlines.  Read this press release:

December 27 — Oregon Attorney General Ellen Rosenblum and Utah Attorney General Sean Reyes announced they’ve settled a data breach enforcement case against Avalon Healthcare Management. It is part of the Avalon Health Care Group that provides skilled nursing, therapy, senior living/assisted living and other medical services in six states, including Oregon and Utah.

The $200,000 settlement stems from a 2019 data breach that exposed the personal information and protected health information of 14,500 Avalon employees and patients, including 1,649 Oregonians. Oregon will receive $100,000.

In July 2019, a scammer gained access to an Avalon employee’s email account after the employee fell victim to a phishing scam. The breach included names, addresses, Social Security numbers, dates of birth, driver’s license numbers, medical treatment information, including diagnosis, health conditions, and/or medications, and limited financial information.

Approximately 10 months after the breach Avalon notified those impacted by the breach and reported it to federal and state regulators, including the Oregon Department of Justice. A joint investigation ensued, focusing on Avalon’s email security practices and compliance with the Health Insurance Portability and Accountability Act (HIPAA) and state breach notification statutes. Under Oregon law, a company should give notice of a breach of security in the most expeditious manner, but no more than 45 days after discovering the breach of security.

“Companies, like Avalon, that retain consumers’ protected health information, have a duty to keep this data safe from unauthorized access,” said Attorney General Rosenblum. “Avalon dealt with the personal health-related information of some of our most vulnerable residents. Close to 2000 Oregonians assumed—incorrectly—their information was safe with Avalon. Data breaches continue to be a problem in Oregon, and we are committed to working with companies to make sure they have the highest data privacy safeguards in place.”  AG Rosenblum also thanked her team at the Oregon Department of Justice, including Assistant Attorney General Kristen Hilton in the Consumer Protection Section, for working on this important case.

In addition to the $200,000 settlement, Avalon will develop and maintain several data security practices designed to strengthen its information security program and safeguard the personal information of employees and patients.

For more information on reporting a data breach to the Oregon Department of Justice visit:

https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/data-breaches/

Read the settlement here.


DataBreaches had highlighted this incident back in 2020, here. Did HHS ever take any action? I cannot even find the incident on HHS’s breach tool although it was there in February 2020. Is HHS still investigating? 

Category: Commentaries and AnalysesHealth Data

Post navigation

← A hospital’s patient data was stolen in June and they should have known it. Why are they claiming they didn’t know?
Ex-Employee Arrested For Extortion, Cyberstalking →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.