Drug and Alcohol Treatment Services Facing Multiple Class Action Data Breach Lawsuits
A Pennsylvania non-profit provider of drug and alcohol addiction services is facing multiple class action lawsuits over an October 2024 ransomware attack. Drug and Alcohol Treatment Services, Inc. (DATS), based at 441 Wyoming Avenue in Scranton, PA, identified unauthorized access to its computer network on October 6, 2024. The forensic investigation confirmed that an unauthorized third party had access to the protected health information of 22,215 individuals between October 5 and October 6, 2024. Data compromised in the incident included patient names, dates of birth, medical histories, treatment information, health insurance information, medical claims information, billing information, Social Security numbers, and financial information.
The data breach was confirmed by DATS on December 5, 2024; however, notification letters were not sent to the affected individuals until May 2, 2025. DATS said it was unaware of any misuse of the stolen data at the time of issuing notification letters and offered the affected individual complimentary credit monitoring and identity theft protection services. The notification letters did not state the exact nature of the cyberattack; however, the Interlock ransomware group claimed responsibility for the attack and said 150 GB of data was stolen. The ransom was not paid, so the group published the stolen data on its data leak site. The group claims the leaked files include the personal data of employees and patients.
Currently, at least eight class action lawsuits have been filed against DATS over the data breach. The lawsuits make similar claims, including negligence for failing to protect its information technology systems and sensitive patient and employee data. The lawsuits claim the data breach could have been prevented if DATS had implemented reasonable security measures and adhered to industry-standard data security practices. The lawsuits also claim that DATS did not provide timely notifications to the affected individuals, who were informed that their sensitive data had been stolen seven months after the data breach. The lawsuits claim the notification delay deprived the plaintiffs and class members of the opportunity to take action to mitigate the harmful effects of the data breach. The lawsuits also assert claims of breach of confidence, breach of implied contract, breach of fiduciary duty, unjust enrichment, and invasion of privacy.
The lawsuits seek class certification, a jury trial, damages, attorneys’ fees, reimbursement of legal costs and expenses, and injunctive relief, including an order from the court compelling DATS to implement measures to improve security.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
