SALT LAKE CITY (ABC4) — The attorneys general of Utah and Oregon have reached a settlement with Avalon Healthcare Management over a 2019 data breach that exposed the personal information of over 4,000 Utahns.

Utah Attorney General Sean Reyes announced the Dec. 22, 2022 settlement today, noting that a total settlement amount of $200,000 will be evenly split between Oregon and Utah. Avalon has also agreed to develop and maintain “several data security practices” to strengthen its protection of sensitive information.

A total of 14,500 patients and employees were affected by the 2019 breach. Avalon provides nursing, therapy, senior living, assisted living, and other medical services in six U.S. states.

Reyes said Avalon did not notify patients until 10 months after the breach occurred. They had also not notified state or federal regulators.

“A scammer gained access to Avalon’s email system in 2019, allowing access to names, addresses, social security numbers, dates of birth, driver’s license numbers, medical treatment information including diagnosis, health conditions, medications, and financial information,” stated a press release from Reyes’ office.

“Companies, like Avalon, that retain consumers’ protected health information, have a duty to keep this data safe from unauthorized access,” stated Oregon Attorney General Ellen Rosenblum. “Avalon dealt with the personal health-related information of some of our most vulnerable residents.”

The settlement can be read below: