Non-profit provider of drug and alcohol addiction services, Drug and Alcohol Treatment Services, Inc. (DATS), based in Scranton, PA, is facing multiple class action lawsuits because of a ransomware attack in October 2024. DATS discovered the unauthorized access to its computer system on October 6, 2024. Based on the forensic investigation, an unauthorized third party accessed the protected health information (PHI) of 22,215 persons from October 5 to October 6, 2024. The breached data in the incident included the following: patient names, birth dates, medical backgrounds, treatment data, medical insurance details, medical claims data, billing details, Social Security numbers, and financial data.
DATS confirmed the data breach on December 5, 2024; nonetheless, it did not issue notification letters to the impacted persons until May 2, 2025. According to DATS, there was no reported misuse of the stolen information at the time of sending notification letters. Still, it offered the impacted persons free credit monitoring and identity theft protection services. The notification letters did not mention the precise nature of the attack; nevertheless, the Interlock ransomware group professed responsibility for the cyberattack and stole 150 GB of data. DATS did not pay the ransom, so the ransomware group posted the stolen information on its data leak website. The group states that the exposed files consist of the personal information of workers and patients.
Presently, DATS is facing about eight class action lawsuits due to the data breach. The lawsuits have the same claims, such as negligence for not protecting its IT systems and the sensitive data of patient and staff members. The lawsuits state that it was possible to prevent the data breach if DATS had set up appropriate security measures and ensured HIPAA compliance. The lawsuits likewise assert that DATS failed to send prompt notifications to the impacted persons, who knew about the theft of their sensitive data after seven months of discovering the data breach. The lawsuits state that the late notification resulted in the plaintiffs and class members losing the chance to take action to mitigate the damaging impact of the data breach. The lawsuits additionally claim breach of implied contract, breach of fiduciary duty, breach of confidence, unjust enrichment, and violation of privacy.
The lawsuits want class certification, a jury trial, lawyer’s fees, damages, refund of legal fees and expenditures, and injunctive relief, which includes a court order requiring DATS to use measures to enhance safety.