More than 26,000 Kisco Senior Living residents and others could have been affected by a June hacking incident, legal counsel for the company said last week.
“Kisco is committed to safeguarding the data and information of our valued community members and staff and has implemented additional measures to reduce the risk of a similar incident occurring in the future,” the operator told McKnight’s Senior Living in a statement.
The Carlsbad, CA-based operator, which manages 25 senior living communities across eight states and Washington, DC, said in an April 16 letter to those potentially affected that the data breach occurred around June 6. Names and Social Security numbers could have been revealed in the incident, according to counsel.
“Kisco immediately took steps to secure its network environment and engaged cybersecurity experts to conduct an investigation to determine what happened,” Donna Maddux, a partner on the cybersecurity and data privacy team of workplace law firm Constangy, Brooks, Smith & Prophete, told Maine Attorney General Aaron Frey in an April 17 letter notifying him of the breach as required by state law. She reported that 26,663 individuals, including senior living residents, were affected, 13 of whom lived in Maine.
“Kisco then engaged a third-party vendor to conduct a comprehensive review of the potentially affected data to determine whether personal information may have been involved,” Maddux said. In its letter, Kisco said that it identified those affected on April 9.
“Kisco reported this incident to the Federal Bureau of Investigation’s Internet Crime Complaint Center and will cooperate with any investigative efforts in an attempt to hold the perpetrator(s) of this incident responsible, if possible,” Maddux told Frey.
Kisco has notified other states where potentially affected individuals live as well and confirmed reported details of the incident to McKnight’s Senior Living.
The operator is providing all potentially affected individuals with 12 months of free credit and dark web monitoring, a $1 million identity fraud loss reimbursement policy, identity theft recovery services and 90-day access to a call center, Maddux said. In its letter to those potentially affected, Kisco also shared additional information on steps people can take to protect their personal information.
Ransomware group BlackByte has claimed responsibility for the attack, according to Comparitech, which said that the Kisco attack is the ransomware-as-a-service malware group’s third-largest based on the number of records affected and that the group, on average, demands a ransom of $375,000.
News of the breach comes as Kisco celebrates several of its communities being recognized in US News & World Report’s Best Senior Living ratings program.
