The Springfield, Massachusetts-based mental health service provider is facing a lawsuit after being the victim of a data breach.
On October 24th, 2024, the Gándara Mental Health Center filed a notice of a data breach with the Attorney General of Massachusetts after discovering that an unauthorized party accessed some information on the organization’s IT network.
According to Gándara’s notice posted online, the breach was first discovered on June 20th, 2024. Accessed data included names, addresses, dates of birth, driver’s license numbers, Social Security numbers, medical information, and health insurance information.
It’s believed that over 20,000 current and former patients may have had their data accessed. Gándara said they currently have no reason to believe the information has been misused.
The center was founded in 1977 as a bilingual mental health practice, largely serving Hispanic populations in Massachusetts. The center provides a variety of services, including young adult housing, LGBTQ+ support, drug use treatment, and more.
Now, Gándara is facing a class action lawsuit that claims the mental health center did not take the appropriate safeguards to protect patient data.
The lawsuit alleges that the “defendant maintained the private information in a reckless manner. In particular, the private information was maintained on defendant’s computer network in a condition vulnerable to cyberattacks.”
The plaintiff is arguing that, as a result of the breach, they and other class members “have been exposed to a heightened and imminent risk of fraud and identity theft. Plaintiff and class members must now and in the future closely monitor their financial accounts to guard against identity theft.”
Class action suits can create heightened media attention and force healthcare providers to explain and justify their current cybersecurity practices. It’s common for smaller practices to have lax cybersecurity measures under the mistaken assumption that threat actors will not target them. More and more small and medium practices are falling victim to these attacks.
Most cases settle, meaning that Gándara will likely face additional financial strain. As a non-profit, these financial burdens could be particularly difficult to overcome.
Despite data breaches becoming commonplace, many organizations fail to take a proactive approach in preventing cyberattacks. Healthcare data is valuable on the dark web, making every organization a potential target. Furthermore, data is often critical to operations, and some attacks can be disruptive, preventing patients from receiving the care they need.
Every organization should prioritize cybersecurity and do its best to stay on top of evolving threat trends. The right tools and policies can save organizations hundreds of thousands of dollars and their reputation.
Related: HIPAA Compliant Email: The Definitive Guide.