Columbus, OH — A former Wisconsin employee of Atrium Centers has filed a proposed class-action lawsuit in federal court, alleging the multistate skilled nursing operator failed to adequately protect personal information compromised during an October cyberattack. The complaint, filed Dec. 2 in the US District Court for the Southern District of Ohio, seeks class certification, damages, and a court order requiring stronger cybersecurity safeguards.
Plaintiff Shannon Shawanokasic says her personal and health information was among the data accessed during the incident. According to the lawsuit, she now spends significant time each day monitoring financial accounts and responding to an influx of spam tied to contact information she once provided to Atrium.
What’s Confirmed About the Breach
Atrium, headquartered in Ohio with facilities in Kentucky, Michigan, Wisconsin, and Ohio, reported a privacy incident in November. In its public notice, the company said investigators found that unauthorized access occurred between Oct. 8 and Oct. 12, during which files and folders were viewed or copied. Atrium said it currently has no evidence that stolen information has been misused and that the organization is reviewing affected files and notifying individuals.
The ransomware group Medusa later claimed responsibility for the attack, a threat that aligned with federal advisories warning healthcare providers about Medusa’s tactics and targeting patterns throughout 2025.
Allegations Still Being Litigated
The lawsuit accuses Atrium of failing to implement widely accepted cybersecurity controls, secure or encrypt sensitive data, or adequately dispose of personal information. These assertions reflect the plaintiff’s claims and have not been proven in court.
The complaint also alleges that Atrium has not sufficiently notified all affected individuals and has not offered complimentary credit monitoring. Atrium’s public incident notice indicates that notifications are underway, creating a factual dispute that will likely be examined as the case proceeds.
In describing the attackers’ intent, the lawsuit asserts that cybercriminals “intentionally targeted” Atrium because of the sensitive personal and medical data it maintains. This characterization is drawn from the plaintiff’s filing rather than a confirmed forensic conclusion.
