System hacked warning alert on notebook (Laptop). Cyber attack on computer network, Virus, Spyware, Malware or Malicious software. Cyber security and cybercrime. Compromised information internet.
(Credit: PUGUN SJ / Getty Images)

A data breach reportedly exposing the personal information of 21,000 employees and residents could cost a senior living operator $1 million in a proposed settlement approved by a federal judge.

In a settlement that has received preliminary approval from a federal court, Fort Washington, PA-based Acts Retirement–Life Communities would pay $1 million to settle allegations that it failed to protect personal information of 20,754 individuals, including 18,276 former Acts employees and 2,478 current or former residents, in an April 2022 data breach. 

After discovering the data breach involving one of its internal data servers, Acts notified potentially affected individuals in July and October 2022, offering credit monitoring services and identity theft insurance.

“Following the incident, our information security team worked quickly to remediate the compromised server, prevent further activity and initiate an investigation to determine the nature and scope of this incident,” an Acts statement released to McKnight’s Senior Living read. “Acts has continued to implement additional safeguards and enhancements on an ongoing basis with the assistance of external cybersecurity specialists to further strengthen our systems, much of the costs for which were addressed in the settlement discussion, and which will benefit Acts well into the future.”

Former employees Cara-Aimee Corra and Valarie Hanna filed a class action lawsuit in July 2022 in US District Court for the Eastern District of Pennsylvania alleging that Acts was negligent in protecting information, including names, addresses, Social Security numbers, birth dates, financial account numbers and medical information accessed by hackers. 

Corra and Hanna agreed to private mediation in March 2023, and a settlement was finalized in July 2023.

In addition to the cash payout, under the terms of the proposed settlement, Acts also would offer class members the opportunity to enroll in two years of credit monitoring and identity theft protection as well as enhanced monitoring of the dark web. The settlement also indicates that Acts has made “certain data security changes,” including extending multi-factor authentication, implementing new technical safeguards and mobile device management controls, updating data retention approaches, and adding a 24/7 managed detection and response service. 

Acts said that the settlement amounts included the organization’s “maximum potential exposure, excluding applicable cyber insurance coverage.”

“We are pleased to have reached a mutually agreeable and preliminary accepted resolution of the claims in the class action lawsuit, while further supporting ongoing cyber security,” Acts noted in its statement.

A final approval hearing is scheduled for July 2. 

Acts is the country’s largest not-for-profit owner, operator and developer of continuing care retirement / life plan communities, according to the company. Overall, it is the nation’s fourth-largest not-for-profit, multi-site senior living and care organization, according to the 2023 LeadingAge Ziegler 200, with assets of $2.4 billion. The organization ranks at No. 2 on the list for independent living units, No. 12 for assisted living units and No. 7 for skilled nursing units.

The company’s 27 retirement communities in nine states collectively serve more than 10,000 residents and employ almost 7,000.