Hackers in recent years have increasingly targeted healthcare providers, because they store not only personally identifiable information (PII) but also protected health information (PHI), which can include sensitive health information, such as about addiction and treatment. This class action brings suit against Gateway Rehabilitation Center, which does business as Gateway Rehab, for failing to take adequate measures to protect the PII and PHI of its patients.
The class for this action is all individuals in the US whose PII or PHI was compromised in the Gateway data breach announced on or around November 18, 2022.
The complaint quotes an article at SwivelSecure as saying, “High demand for patient information and often-outdated systems are among the nine reasons healthcare is now the biggest target for online attacks.”
Gateway, based in Aliquippa, Pennsylvania, is “the largest drug rehab and [addiction] recovery network in the greater Pittsburgh region,” the complaint says, offering long-term treatment. The complaint quotes Gateway’s Notice of Privacy Practices as saying, “The confidentiality of alcohol and drug abuse patient records is specifically protected by state and federal laws.”
Despite its awareness of this need for confidentiality, the complaint alleges, Gateway became aware that it had suffered a data breach on June 13, 2022. However, it did not announce this until November 18, 2022, the complaint alleges, and so failed to inform the individual victims within sixty days, as required by law.
The information compromised in the data breach, the complaint says, included names, dates of birth, Social Security numbers, driver’s license and state ID numbers, financial account and payment card information, and medical and health insurance information, and involved the records of some 130,000 people.
The complaint suggests that the data breach was not the whole story, saying that “on or around July 8, 2022, DataBreaches.net reported that Gateway was the apparent victim of a ransomware attack by the hacker group BlackByte.” It also claimed, “BlackByte leaked more than 4 GB of Gateway’s data onto the dark web. The leaked data contained numerous documents, including documents that include sensitive personal information on patients, such as their arrest records and history of behavior and substance related issues.”
The complaint alleges that the data breach occurred because Gateway did not put in place and follow adequate security measures to protect the PII and PHI it held in its systems. The complaint lists a number of security measures that it claims Gateway should have taken but did not.
The complaint claims, “Health information in particular is likely to be used in detrimental ways—by leveraging sensitive personal health details and diagnoses to extort or coerce someone, and serious and long-term identity theft.”
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
Gateway Rehab Data Breach Complaint
November 28, 2022
Hackers in recent years have increasingly targeted healthcare providers, because they store not only personally identifiable information (PII) but also protected health information (PHI), which can include sensitive health information, such as about addiction and treatment. This class action brings suit against Gateway Rehabilitation Center, which does business as Gateway Rehab, for failing to take adequate measures to protect the PII and PHI of its patients.
Gateway Rehab Data Breach ComplaintCase Event History
Gateway Rehab Data Breach Complaint
November 28, 2022
Hackers in recent years have increasingly targeted healthcare providers, because they store not only personally identifiable information (PII) but also protected health information (PHI), which can include sensitive health information, such as about addiction and treatment. This class action brings suit against Gateway Rehabilitation Center, which does business as Gateway Rehab, for failing to take adequate measures to protect the PII and PHI of its patients.
Gateway Rehab Data Breach Complaint