An Oregon health care services firm is facing a proposed class‑action lawsuit after a cybersecurity breach exposed the personal information of nearly 4,800 current and former employees and job applicants.
According to The Lund Report, Consonus Healthcare Services, a healthcare services company located in Oregon, is facing a proposed class-action lawsuit. The lawsuit follows a cyberattack that compromised the personal information of thousands of current and former employees as well as job applicants. This legal complaint was filed on Monday, 22 December, in the U.S. District Court in Portland.
In August 2025, Consonus Healthcare Services discovered a significant data breach that exposed sensitive personal information of approximately 4,800 current and former employees and job applicants. The breach, which occurred on August 9 but was only disclosed publicly three months later, allowed unauthorized actors to access names, Social Security numbers, and other identifying data.
The lawsuit alleges that Consonus failed to implement adequate cybersecurity measures, neglecting industry standards and federal requirements designed to protect personal data. Plaintiffs claim the company was slow to detect and respond to the intrusion, increasing the risk of identity theft and fraud for those affected. Additionally, the breach notification sent to victims is criticized for lacking transparency about the breach’s cause and for offering only limited short-term credit monitoring, which plaintiffs argue is insufficient given the enduring risks associated with stolen personal information.
The legal filing quotes Kaushik expressing ongoing anxiety and frustration since learning his information was compromised. The suit outlines potential harms from the breach, including the possibility of criminals using the stolen data to open financial accounts, obtain loans, secure medical services or government benefits fraudulently, file false tax returns, or even interact with law enforcement under false identities.
Consonus has not yet issued a public response to requests for comment on the lawsuit. Lawyers representing Kaushik and other plaintiffs also did not respond to inquiries seeking more detail.
The Health Insurance Portability and Accountability Act (HIPAA) requires health care providers, insurers, and their business associates to safeguard protected health information (PHI). The law sets national standards for privacy and security through its Privacy Rule and Security Rule.
The Privacy Rule controls how PHI is used and shared, while the Security Rule mandates technical and administrative safeguards to protect electronic PHI (ePHI), such as encryption and access controls. Covered entities and their business associates must also notify affected individuals and authorities promptly if a breach occurs.
These protections help prevent identity theft, fraud, and unauthorized disclosures, ensuring patients’ sensitive health information remains confidential. Failure to safeguard PHI can result in legal penalties, including fines and corrective actions, as well as damage to an organization’s reputation and loss of patient trust.
In the Consonus case, the alleged delay in breach detection and notification, along with insufficient security measures, indicates a lack of HIPAA compliance that resulted in a lawsuit.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Exposed data can lead to identity theft, financial fraud, unauthorized access to medical benefits, and long-term misuse of personal information.
Under HIPAA’s Breach Notification Rule, covered entities and business associates must notify affected individuals without unreasonable delay and no later than 60 days after discovering the breach.
HIPAA requires covered entities and business associates to protect electronic protected health information (ePHI) using administrative, physical, and technical safeguards. Key measures include:
These steps help prevent unauthorized access and data breaches.
Read also: Understanding the difference between HIPAA compliance and cybersecurity