3 days ago
Scranton-based treatment center faces eight lawsuits over data breach
A Scranton-based nonprofit addiction treatment organization faces eight class-action lawsuits regarding a data breach involving health and personal identification records of over 22,000 former and current patients.
The separate, but similar, lawsuits filed from May 14 to May 23 in Lackawanna County Court each name as the defendant Drug and Alcohol Treatment Service of 441 Wyoming Ave.
Claiming the agency negligently failed to safeguard its information technology network, the lawsuits are all potential class actions filed by prospective lead plaintiffs on behalf of themselves and all others similarly situated.
The lawsuits seek court certification of the class and unspecified damages, fees, costs and interest. Certification, if approved, would be a key step in favor of the plaintiffs. Whether or how the court might consolidate the cases also remains to be seen.
Efforts to reach the nonprofit company were unsuccessful.
A 'Notification of Data Security Incident,' posted on the website of the organization, says it 'became aware of unauthorized activity' on its network around Oct. 6 and took immediate action to secure it and have outside specialists investigate. By April 15, the analysis determined that a limited amount of information may have been accessed between Oct. 5-6, and 'the potentially affected information included patient names, addresses, dates of birth, Social Security numbers, health insurance information, patient account numbers, medication information, diagnosis and treatment information, doctor names, and medical claims and billing information,' according to the notice.
It added that DATS also implemented additional network security measures and reviewed its data protection policies and procedures.
'Although we have no evidence of misuse of information as a result of this incident, we encourage potentially impacted individuals to enroll in complimentary credit monitoring and identity protection services we are making available,' the notice said.
One lawsuit described the treatment center's corrective actions as 'too little, too late,' because the victims of stolen data lost time in detecting and preventing identity theft and face an increased risk of it.
The company notified a governmental agency about the data breach on April 24, listing 22,215 victims, but waited until May 2 to issue a public notice and begin sending out letters to those affected by the incident, according to one of the lawsuits.
Some of the other claims in the lawsuits include:
• The cybercriminals appear to be a notorious ransomware group, 'Interlock,' which claimed credit for the breach and transfer of at least 133 gigabytes of data. If the data has not already been published on the dark web, it likely would happen soon.
• The breach was preventable through various ways, including encryption, training, spam filters, firewalls, anti-virus and malware programs, to name a few. The agency should have known it was at risk because cyber attacks targeting health care entities have become widespread.
• Plaintiffs already have spent considerable time reviewing bank accounts, monitoring credit and changing passwords and have suffered fear, anxiety and stress. Victims now face years of constant monitoring of their financial and personal records. Fraudulent activity might not come to light for years, and there could be a time lag in detecting it.
• The center failed to adhere to federal guidelines and industry standards and violated health information protection rules.
• Some of the other counts include: breaches of implied contract, confidence and fiduciary duty; unjust enrichment; and invasion of privacy.
Seven lawsuits each had one individual lead plaintiff, while the other one had two plaintiffs filing jointly. The suits listed six plaintiffs as former patients, but did not specify the other three.
The dates of filings, number of prospective lead plaintiffs and law firms representing them include:
May 14: One plaintiff represented by the Shub Johns & Holbrook law firm of Conshohocken and the Milberg Coleman Bryson Phillips Grossman firm of Washington, D.C.
May 15: One plaintiff represented by the Kopelowitz Ostrow law firm of Fort Lauderdale, Florida, and the Shamis & Gentile law firm of Miami.
May 21: One plaintiff represented by the Saltz Mongeluzzi Bendesky law firm of Philadelphia and the Strauss Borelli firm of Chicago.
May 21: One plaintiff represented by Saltz Mongeluzzi Bendesky and the Finkelstein, Blankinship, Frei-Pearson & Garber firm of White Plains, New York.
May 21: One plaintiff represented by the Kopelowitz Ostrow law firm.
May 21: One plaintiff represented by the Adhoot & Wolfson law firm of Radnor and the Siri & Glimstad firm of New York City.
May 23: One plaintiff represented by the Shub Johns & Holbrook law firm of Conshohocken and the Clayeo Arnold firm of Sacramento, California.
May 23: Two plaintiffs filing jointly represented by the Kimmel & Silverman firm of Ambler and the EKSM firm of Houston.
According to the DATS website: the private, nonprofit 501(c)3 corporation was established in 1977 to provide outpatient treatment to residents of Lackawanna County suffering from drug and alcohol abuse; it grew over the years to become the state-designated provider for drug and alcohol counseling covering all of Lackawanna County and one of the largest outpatient service providers in the state; its roster has grown to 30 clinical staff members with an average monthly caseload of 700 patients; licensed by the state, the center is a provider for the Lackawanna-Susquehanna Office of Drug and Alcohol Programs.
One of the lawsuits described the prospective class as 'nationwide.'
