Drug and Alcohol Treatment Services, Inc. (DATS), an outpatient substance abuse treatment center in Scranton, Pennsylvania, has reported a data breach affecting over 22,000 individuals. The breach stemmed from a network intrusion discovered in October 2024, potentially exposing sensitive patient information.
What happened
On or around October 6, 2024, DATS detected unauthorized activity within its computer network. According to their public notice, the organization immediately took steps to secure its systems and engaged third-party cybersecurity specialists to investigate the scope and nature of the intrusion. The investigation confirmed that an unauthorized actor may have accessed files containing patient data during the incident.
What's new
DATS officially reported the incident to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on April 24, 2025, indicating that 22,215 individuals were affected. Following a detailed review of the potentially compromised data, DATS determined that the exposed information could include patient names, addresses, dates of birth, Social Security numbers, health insurance details, patient account numbers, medication information, diagnosis and treatment information, doctor names, and medical claims/billing information. DATS began notifying affected individuals and established a dedicated call center.
Why it matters
This breach involves highly sensitive protected health information (PHI) related to substance abuse treatment, alongside personally identifiable information (PII) like Social Security numbers. The exposure of such data puts affected individuals at risk of identity theft, financial fraud, and potential misuse of their private health details.
What they're saying
In its public notice, DATS stated, "The privacy and protection of information is a top priority for DATS, and we deeply regret any inconvenience or concern this incident may cause." While DATS mentioned they are currently unaware of any evidence suggesting misuse of the potentially accessed information, they are advising caution. Multiple law firms (including Shamis & Gentile P.A., Srourian Law Firm, ClassAction.org affiliates, and Strauss Borrelli PLLC) have announced investigations into the breach, exploring potential legal action on behalf of affected individuals.
The big picture
The significant delay between the discovery of the intrusion in October 2024 and the official notification to the HHS and the public in late April/early May 2025 is notable. This incident adds to the growing number of cyberattacks targeting healthcare organizations and proves the importance of security measures and timely breach response protocols. The immediate interest from multiple legal firms suggests potential scrutiny regarding the adequacy of DATS' data security practices leading up to the breach.
FAQs
What is a class action lawsuit in the context of a data incident?
When a data breach affects many people similarly, a class action lawsuit allows one or more individuals (lead plaintiffs) to sue the breached entity on behalf of the entire group (the class). If successful, the lawsuit could potentially recover compensation for harm suffered by class members (e.g., out-of-pocket costs, time spent addressing issues, increased risk of future harm) and may force the company to implement stronger data security measures. Multiple law firms are currently investigating whether such a lawsuit is appropriate against DATS.
What should affected individuals do now?
Remain vigilant. Carefully review the notification letter from DATS (if received). Monitor financial statements, credit reports, and Explanation of Benefits (EOB) statements from health insurers for any unauthorized activity. Consider placing a fraud alert or credit freeze on your credit files. Utilize the dedicated DATS hotline (1-833-799-4385, M-F 8 AM - 8 PM EST) if you have specific questions.
What are fraud alerts?
A Fraud Alert (usually lasting one year) requires potential creditors to take extra steps to verify your identity before issuing new credit in your name.
What are credit freezes?
A Credit Freeze (or Security Freeze) restricts access to your credit report entirely, making it much harder for anyone (including you) to open new credit accounts. Freezes usually remain until you lift them. Both can usually be requested from the major credit bureaus (Equifax, Experian, TransUnion).
