Consonus Healthcare Services Faces Lawsuit Over Delayed Data Breach Disclosure
A former employee of Oregon-based Consonus Healthcare Services has filed a class-action lawsuit against the company, alleging a three-month delay in notifying affected individuals about a data breach that exposed sensitive personal information. The breach, which occurred in early August 2024, compromised the data of approximately 4,800 current and former employees and job applicants, including names, Social Security numbers, and other identifying details.
The lawsuit, filed in U.S. District Court in Portland, claims Consonus—part of Marquis Companies, a senior living chain—failed to implement adequate cybersecurity measures, leaving victims vulnerable to lifelong risks of identity theft and fraud. The company reportedly detected the breach on August 17 but did not notify Oregon’s attorney general or affected individuals until November, nearly three months later.
Plaintiff Gaurav Kaushik, a former program manager who worked for Consonus from 2021 to 2024, alleges the company was negligent in securing its systems, failing to monitor for intrusions or comply with industry cybersecurity standards. The stolen data could be exploited for financial fraud, medical identity theft, tax fraud, and other criminal activities, according to the complaint.
Consonus offered affected individuals short-term credit monitoring, which the lawsuit dismisses as insufficient given the permanent risks posed by the breach. The notice also allegedly lacked critical details, including the root cause of the breach, exploited vulnerabilities, and remedial actions taken.
The lawsuit seeks monetary damages, lifetime credit monitoring, and identity theft insurance for victims. Neither Consonus nor the plaintiffs’ legal representatives have publicly commented on the case. Consonus provides services to rehabilitation and senior care facilities across eight states, including Oregon, Washington, and California.
Source: https://www.thelundreport.org/content/oregon-health-care-firm-hit-data-breach-suit
Consonus Healthcare cybersecurity rating report: https://www.rankiteo.com/company/consonus-healthcare
Consonus Healthcare cybersecurity rating report: https://www.rankiteo.com/company/consonus-healthcare
"id": "CONCON1766527147",
"linkid": "consonus-healthcare, consonus-healthcare",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '4800',
'industry': 'Healthcare',
'location': 'Oregon, USA',
'name': 'Consonus Healthcare Services',
'type': 'Healthcare Services and Consulting'}],
'customer_advisories': 'Offered short-term credit monitoring to affected '
'individuals',
'data_breach': {'number_of_records_exposed': '4800',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Names',
'Social Security numbers',
'Personal information']},
'date_detected': '2024-08-17',
'date_publicly_disclosed': '2024-11-00',
'description': 'Consonus Healthcare Services experienced a data breach in '
'early August, compromising personal information of current '
'and former employees and job applicants. The company took '
'three months to notify affected individuals, putting them at '
'risk of identity theft and fraud.',
'impact': {'brand_reputation_impact': 'Negative impact due to delayed '
'notification and inadequate security '
'measures',
'data_compromised': 'Names, Social Security numbers, and other '
'personal information',
'identity_theft_risk': 'High risk of identity theft and fraud for '
'affected individuals',
'legal_liabilities': 'Lawsuit filed for negligence and '
'recklessness in data security'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'root_causes': 'Inadequate data security system, '
'failure to monitor security '
'systems for intrusion, '
'non-compliance with industry '
'standards and federal regulations'},
'references': [{'source': 'The Oregonian'}],
'regulatory_compliance': {'legal_actions': 'Lawsuit filed in U.S. District '
'Court in Portland',
'regulations_violated': ['Industry standards',
'Federal regulations on '
'cybersecurity'],
'regulatory_notifications': 'Notified Oregon’s '
'attorney general'},
'response': {'communication_strategy': 'Delayed notification to affected '
'individuals and Oregon’s attorney '
'general'},
'title': 'Consonus Healthcare Services Data Breach',
'type': 'Data Breach'}