The data breach at Kisco Senior Living could affect more than 26,000 people

Computer code and text displayed on computer screens.  Photographer: Chris Ratcliffe/Bloomberg
(Credit: Chris Ratcliffe/Bloomberg Creative/Getty Images)

More than 26,000 Kisco Senior Living residents and others could have been affected by a hacking incident in June, the company’s legal counsel said last week.

The Carlsbad, California-based operator, which manages 25 senior living communities in eight states and Washington, D.C., said in an April 16 letter to those potentially affected that the data breach occurred around June 6. Names and social security numbers could have been revealed in the incident, counsel said.

“Kisco has taken immediate steps to secure its network environment and has engaged cybersecurity experts to conduct an investigation to determine what happened,” Donna Maddux, partner in the cybersecurity and data privacy team at law firm Constangy, said. Brooks, Smith & Prophete, to Maine. Attorney General Aaron Frey in an April 17 letter notifying him of the violation, as required by state law. She reported that 26,663 individuals, including seniors, were affected, 13 of whom lived in Maine.

“Kisco then engaged a third-party vendor to conduct an extensive investigation of the potentially affected data to determine if any personal information may have been involved,” Maddux said. In its letter, Kisco said it had identified those affected on April 9.

“Kisco has reported this incident to the Federal Bureau of Investigation’s Internet Crime Complaint Center and will cooperate with all investigative efforts in an effort to hold the perpetrator(s) of this incident accountable, if possible,” Maddux told Frey. “Kisco has also implemented additional security features in an effort to prevent a similar incident in the future.”

Kisco has also notified other states where potentially affected individuals live.

The operator is offering all potentially affected individuals 12 months of free credit and dark web monitoring, a $1 million refund policy for identity fraud losses, identity theft recovery services and 90 days of access to a call center, Maddux said. In its letter to those potentially affected, Kisco also shared additional information about steps people can take to protect their personal information.

Ransomware group BlackByte claimed responsibility for the attack, according to Comparitech, which said the Kisco attack is the third largest among the ransomware-as-a-service malware group based on the number of records affected and that the group claims on average a ransom of $375,000.

News of the breach comes as Kisco celebrates several of its communities being recognized in U.S. News & World Report’s Best Senior Living rating program.