Posted On December 14, 2022 Consumer Privacy & Data Breaches
December 14, 2022 – Kaye-Smith filed notice of a data breach with the Office of Consumer Protection of the Montana Attorney General after the company was the target of a recent ransomware attack. The breach affected information the company received from MultiCare, a large regional health network for which Kaye-Smith processes personal information as a part of the mailing services it provides. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses and Social Security numbers. After confirming that consumer data was leaked, Kaye-Smith began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Kaye-Smith data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Kaye-Smith.
The available information regarding the Kaye Smith breach comes from the company’s data breach letter, filed with the Office of Consumer Protection of the Montana Attorney’s General office. According to this source, in June 2022, Kaye-Smith learned of a potential data security incident when it detected suspicious activity throughout its computer network. In response, the company worked with outside experts to investigate the incident and determine whether any confidential consumer information was leaked as a result.
The Kaye Smith investigation confirmed that the company had been the victim of a ransomware attack. As a result of the cyberattack, hackers were able to gain access to certain files stored on the Kaye-Smith network. Further investigation revealed that some of these files contained sensitive information pertaining to one of the company’s corporate clients, MultiCare.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Kaye Smith began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, address, and Social Security number.
On December 9, 2022, Kaye Smith sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. While the Kaye Smith data breach letter does not mention whether customers of any of the company’s other clients were affected, we know that the Kaye-Smith data breach affected certain MultiCare patients.
Founded in 1908, Kaye-Smith is a business services company based in Renton, Washington. The company provides its corporate clients with various solutions related to branded merchandise, statement processing and billing services, inventory management, direct mail marketing, web applications, warehousing and distribution, data management and personalized fulfillment. Kaye-Smith operates three locations in Renton, WA, Portland, OR, and Boise, ID. Kaye Smith employs more than 170 people and generates approximately $39 million in annual revenue.
Founded in 1882, MultiCare is a not-for-profit healthcare company based in Tacoma, Washington. MultiCare is the largest, not-for-profit, community-based, locally-owned health system in Washington State. MultiCare operates 11 hospitals in the region, including:
MultiCare also operates MultiCare Behavioral Health Network, MultiCare Indigo Health, Mary Bridge Children’s Hospital & Health Network, Pulse Heart Institute and MultiCare Rockwood Clinic. MultiCare employs more than 20,000 people and generates approximately $2 billion in annual revenue.
The Kaye-Smith data breach is what is known as a third-party data breach. A third-party data breach occurs when consumer information is leaked as a result of a cyberattack at a company that received the information from another company rather than directly from the consumer. Often, these breaches occur when companies outsource certain services, which require the outsourcing company to provide consumer information to the vendor who will perform the services. As a result, in most third-party data breaches, consumers have no idea that the targeted company has their information.
Third-party data breaches raise a number of concerns, primarily related to consumers losing control over their data once it leaves the hands of the company they gave it to. For example, you have a right to tell any company you provide with your information what they can—and cannot—do with it. However, once that company hands off your information to a third-party vendor, the vendor isn’t necessarily bound by the same privacy rules. On top of that, third-party vendors are a good target for hackers because they serve as “data banks” where a wide range of consumer data is stored. Indeed, a recent survey found that third-party data breaches make up about 60 percent of all data breaches.
After a data breach, the organization responsible for leaking consumer information may be liable through a data breach lawsuit. However, just because a breach occurred and your information was compromised doesn’t necessarily mean that the company you trusted with your information is financially responsible to you for any harm, such as identity theft. As a general rule, it is only when a company’s negligence was a contributing factor leading up to the breach that it is legally liable for a victim’s damages.
While all data breach lawsuits are complex, third-party data breaches are especially so. The term third-party data breach describes an incident where the company that was targeted in the cyberattack is not the same organization that was initially entrusted with the leaked information.
Determining which company is liable for the data breach can be challenging, and consumers whose information was leaked may not know where to look for answers. However, generally speaking, any company that maintains, stores, transmits or receives consumer data has a legal obligation to the consumer—regardless of whether the company that was breached received the information directly from a consumer. In fact, for the most part, it does not matter how a company comes into possession of consumer data. Instead, the question is whether the company that was hacked or otherwise leaked the information was negligent.
In the case of the Kaye-Smith data breach, it would appear that MultiCare’s systems were not breached and, therefore, MultiCare is not likely responsible for consumers’ information being compromised. Thus, at this early point, it would appear that if any party is liable for the breach, it would be Kaye Smith.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Kaye-Smith data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the initial data breach letter issued by Kaye-Smith (the actual notice sent to consumers can be found here):
Dear [Redacted],
Kaye-Smith is providing notice of a recent incident affecting certain personal information it processes. We process your personal information as a mailing service provider for MultiCare. The confidentiality, privacy, and security of personal information in Kaye-Smith’s systems is very important to Kaye-Smith, and Kaye-Smith takes this incident seriously. This notice provides information on the incident and what we are doing in response, to keep the personal information we process safe and secure.
What Happened?
In June 2022, Kaye-Smith engaged outside experts to help investigate suspicious activity relating to its operating environment. A detailed investigation into the matter ultimately confirmed that a discrete number of files were compromised as part of a ransomware attack by a bad actor, with available logs identifying the first suspicious activity in late May 2022. Subsequently, a thorough review of the operating environment was performed to identify the types of information potentially compromised.
What Information Was Involved?
You are receiving notice because your name, address, and Social Security Number were identified as being potentially affected.
What We Are Doing
Through our investigation we confirmed the scope of this incident, the security of our environment and that our systems are not otherwise currently at risk. In order to prevent any further unauthorized access, we have enhanced our security measures and monitoring.
